How can I get the roles associated with a user?

[lechediaz]

Hello friend,

I have created a role in my client, added it to a group and then associated it to a user, but I can't get the role.

I created a scope of type Identity Resource and added it to my client, but it does not work neither in singular or plural.

In the access_token it doesn't come, so I supposed I could look it up in the userinfo_endpoint but it doesn't come up either.

In the discovery enpoint there is no endpoint where to get this data.

[lechediaz]

I tried to save the scopes as API Resource type and it didn't work either.

[lechediaz]

I found that in the UserInfo controller there is a call to the ClaimsExtractor.ExtractClaims method and I think the problem is in getting the FullPath of the group, because it is splitting by dot "." instead of slash "/".

Tomorrow I will try to validate, if I find anything I will let you know.

[simpleidserver]

Hello,

There is no role in the claims because you probably didn't assign roles to the group.

A client can have one or more roles, they are used to define the permissions of your application, for example : administrator, guest etc... They can be added in the Client \ Roles screen. In your use case, the roles must be added to the condominiums client.

Once the roles are created, navigate to the group and assigned one or more roles.

You can can check the roles of a user by clicking on the checkbox Resolve roles. Resolved roles are highlighted in green

[lechediaz]

My client has two roles:

I'v assigned role to the group:

I assigned this group to my user:

That action created three claims:

Previously I had not checked the Resolve roles box, now I did and saved, then it created another claim.

Yet all this does not bring me the role in User Info endpoint.

[simpleidserver]

The issue about duplicate roles have been fixed (Ticket #526).

Fetch the latest changes from the branch origin/master and remove all the roles of the user. In the role scope, add a mapping rule. Click on the Add mapper button. In the popup window, select Attribute and click on next :

Complete the form like this and click on Save :

Now, the role scope should be configured.

[lechediaz]

Okay friend, I'll try it and let you know.

[lechediaz]

Hello,

After I got the changes and did what you told me to do, I assigned the group (with the previously associated role) to the user:

Then checked the Resolve roles box and saved:

Now, the UserInfo endpoint already brings me the role! :D but it does it twice

Then what I did was deleted the "role" claim at user:

Then when access_token is created, apparently creates the claim again, maybe that is what produces twice "role" key in UserInfo endpoint.

Still, it was a breakthrough and I could continue working on my project.

Thank you very much

[simpleidserver]

First thank you for your feedback :) Roles are duplicated when you're trying to get an access token because the EF Change Tracker Detects changes on the user and save the result.

The issue is fixed in the master branch & it is linked to this problem #526.

Can-you please fetch the latest changes made on the master branch ?

[lechediaz]

OK, I'll try it and let you know.

[lechediaz]

Hello,

Okay, I got the changes but unfortunately the problem persists.

Then I deleted my user's claims:

Then, I requested a new token and called the UserInfo endpoint and the role appears twice:

I checked and indeed re-created the Claim to the user.

If I request another token it creates another claim and a third role in the UserInfo:

[simpleidserver]

Strange, with the latest changes, the issue cannot be reproduced on my local machine. Did-you rebuild the Docker Image and deploy the latest version to your Server ? When auth code is used to get an access token and the userinfo is called, there is no duplicate role in the [dbo].[UserClaims] table.

[lechediaz]

mmm I'll check it again.

[lechediaz]

Oh, I'm so sorry, you were right I missed to load the correct image.tar file. It's working good.

I also noticed that it is not necessary to check the Resolve roles checkbox, with the attribute mapping it is enough and that is great (I don't know if the functionality of this checkbox is deprecated then).

Thank you!