Access Denied when adding a custom Profile Service

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡

Apache License 2.0

556 stars 194 forks source link

Open apetrut opened 1 year ago

apetrut commented 1 year ago

I created a custom ProfileService that adds a list of tenants ids in the JWT token (see below):

jwt_tenants

When I try to load the IdentityServer Admin page I get this error:

@skoruba can you indicate what's causing the issue? If I remove the custom profile service, the Admin page loads fine.

Thanks.

skoruba commented 1 year ago

Hi, there is missing claim "role" for administration.

apetrut commented 1 year ago

Hi,

I have added the list of roles like this:

var roleClaims = context.Subject.FindAll(JwtClaimTypes.Role);
            context.IssuedClaims.AddRange(roleClaims);

and it worked.

Thanks a lot.

apetrut commented 1 year ago

Hi @skoruba ,

I have added the correct role id from a custom ProfileService as below:

but I am still getting Access Denied screen.

The error looks like this:

User.IsInRole must be true for one of the following roles: (MyRole) .

Can you confirm which role is the correct role?

The role id: 8a7173f8-4502-4967-97e6-b0ae5046d267 which is "MyRole" exists in the list (see the screenshot).