RolePrincipal.IsInRole not checking "roles" claim.

dotnet / dotnet-api-docs

.NET API reference documentation (.NET 5+, .NET Core, .NET Framework)

https://docs.microsoft.com/dotnet/api/

Other

739 stars 1.57k forks source link

RolePrincipal.IsInRole not checking "roles" claim. #10477

Open ManelBH opened 2 months ago

ManelBH commented 2 months ago

Type of issue

Code doesn't work

Description

I have a JWT that looks like this:

{
  "aud": "xxx",
  "iss": "https://login.microsoftonline.com/xxx/v2.0",
  ...,
  "azp": "xxx",
  "roles": [
    "my_role"
  ],
  ...
  "ver": "2.0"
}

This token is processed by the Azure Application Service Authentication layer and I can see the "roles" claim defined in my ClaimsPrincipal. Therefore when I run:

HttpContext.User.IsInRole("my_role");

I was expecting this to return true but it returns false. It's not really clear in the docs why this wouldn't work.

Page URL

https://learn.microsoft.com/en-us/dotnet/api/system.web.security.roleprincipal.isinrole?view=netframework-4.8.1

Content source URL

https://github.com/dotnet/dotnet-api-docs/blob/main/xml/System.Web.Security/RolePrincipal.xml

Document Version Independent Id

adcabe65-9e9e-0eb4-20fc-766acfea926e

Article author

@Rick-Anderson

dotnet-issue-labeler[bot] commented 2 months ago

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

dotnet-issue-labeler[bot] commented 2 months ago

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

bartonjs commented 2 months ago

This sounds more like a functional bug than a documentation bug. Looking at the source of RoleProvider.IsInRole, it seems that the bug really belongs with whatever concrete IIdentity type you're using. Do you know what type that is?

ManelBH commented 2 months ago

Looking at the source of

Then the documentation wasn't enough to understand how this works, was it?

ManelBH commented 2 months ago

Ok now I realize this isn't a RolePrincipal but a ClaimsPrincipal, the ClaimsPrincipal page says something about this indeed.

ManelBH commented 2 months ago

The ClaimsPrincipal page shed some light into it. This:

req.HttpContext.User.Identities.Select(x => x.RoleClaimType);

Has only this type (appearing twice): http://schemas.microsoft.com/ws/2008/06/identity/claims/role That's why it doesn't work. It's still unclear to me why "roles" isn't checked given that's how's defined in Microsoft's own token, now it does look like a bug. How it is decided which RoleClaimTypes to use?

bartonjs commented 2 months ago

How it is decided which RoleClaimTypes to use?

That's a question for the specific class. ClaimsPrincipal.IsInRole just answers the logical or of all of the ClaimsIdentity.HasClaim calls; so it's a function of what the specific ClaimsIdentity implementation (or other IIdentity that the ClaimsIdentity is wrapping) does to populate the Claims collection.

dotnet-policy-service[bot] commented 1 month ago

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones