the roles of a ClaimsPrincipal
are actually just claims create with a type of ClaimsIdentity.RoleClaimType
. By default, this is given by ClaimType.Role
, which is the string http://schemas.microsoft.com/ws/2008/06/identity/claims
. When a user is authenticated appropriate claims are added for their roles which can be found later as required.
It's worth bearing this in mind if you have difficult with AuthorizeAttributes
not working. Most external identity providers will use a different set of claims representing role, name etc that do not marry up with the values used by Microsoft in the ClaimType
class. As Dominick Baier discusses on his blog, this can lead to situations where claims are not translated and so users can appear to not be in a given role. If you run into issues where your authorisation does not appear to working correctly, I strongly recommend you check out his post for all the details.
http://andrewlock.net/introduction-to-authorisation-in-asp-net-core/
https://leastprivilege.com/2016/08/21/why-does-my-authorize-attribute-not-work/