Open mtlive opened 4 months ago
Tried Always Send Client Claim
option, along with adding the role claim for the client and it worked.
But this wasn't necessary in Identity4 nor was it documented.
Thank you for your message, I will check it - it is strange that you are not able to access API in case that your user has correct admin role.
Yes, I have this problem even in the cloned project without touching anything.
I also experienced the same problem. I solved that issue by implementing IAuthorizationMiddlewareResultHandler.
public class ICHAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
{
var user = context?.User;
if (user != null)
{
if (user.Identity.IsAuthenticated)
{
return next(context);
}
}
context.Response.StatusCode = StatusCodes.Status403Forbidden;
return Task.CompletedTask;
}
}
I don't believe this is a complete solution. I'm hoping Skoruba will come up with a better solution.
Hi guys, sorry for delay, I will check it soon.
Please try use following code in the Startup.cs
in Api project:
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
Check this commit: https://github.com/skoruba/Duende.IdentityServer.Admin/commit/a43768544ae11937dd939a0a158f704619fd3eaf
Hey @skoruba - your fix solves the issue. Thank you!!!
Thank you @vpetkovic for feedback.
Describe the bug
When I send a request to an admin API (
Policy = AuthorizationConsts.AdministrationPolicy
attribute) I get Error 403 Unauthorized. Even though the user has the admin role and the scope is the one defined for OidcApiName.Actually, there shouldn't be required to add the role claim for the client as it is already defined for the scope. Meaning that I can't use the admin API swagger in the cloned project even with the default settings.
To Reproduce
Send a request to the admin API with an admin role user. (like admin user in Admin API swagger) .Net SDK version: 8.0.101
I tried to find the problem, added a role claim with the admin role value defined in appsettings.json, but to no avail. I also verified the token for the claim and it was present, but for some reasons when I reviewed the claims using
HttpContext.User.Claims
but there was norole
claim among he claims. So far my only solution is to comment the following in in adminAPI StartupHelper.cs:Is there something that I did wrong or it is a bug?