Question regarding the role claim and multi-value mapper functionality

[agkoutis]

Hello !

I am currently testing the new functionality with multi-value scopes.

Please note that when I return one role claim everything works fine.

What I have done so far is added on user 2 claims with key "role".
In the client service registration, I have used the ClaimActions.MapAll(); and in the scope request I added a scope "role".

So in principle claims i have a result => "role" : [xxx-global-admin,yyy-global-admin]

Right now i am getting :

RolesAuthorizationRequirement: User.IsInRole must be true for one of the following roles: (xxx-global-admin)

So my question is the following :

a)Is this a normal behaviour?
b) Would be better if the role claim in the access token and user info response was a repeatable key like the aud claim?

options.Events = new CookieAuthenticationEvents()
{
OnValidatePrincipal = async context =>
{
await Task.CompletedTask;
}
};
c) do I need to write a custom IsInRole function validation to work with the current implementation?

[simpleidserver]

a). For some reason, the NuGet Package Microsoft.AspNetCore.Authentication.OpenIdConnect is filtering the claims coming from the userinfo endpoint.

By default, the following claims are included in the ClaimsIdentify, and the claims included in the id_token are mapped by default:

• sub
• name
• given_name
• family_name
• profile
• email

If there are some claims missing, you must either add a custom ClaimAction or include the following statement:

config.ClaimActions.MapJsonKey(ClaimTypes.Role, "role");

Thanks to this statement, two new claims will be added to the UserIdentity.

For more information, please refer to the official documentation : https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims?view=aspnetcore-8.0#mapping-claims-using-openid-connect-authentication

b). In all other Identity Server implementations, such as Keycloak, the role claim is returned as an an array of strings, not as a concatenated list of strings.
Unlike the aud claim, the format of the role claim is not defined by any RFC.
In SimpleIdServer, I have tried to align with other OPENID implementations :).

c). If you use the statement above, there is no need to write a custom IsInRole function.
I obtained the following claims :

[agkoutis]

Hello, as always, thanks for the help & fast reply!

Yes, I'm currently getting those claims as you described, but it seems that the policy builder of SID admin is failing.

services.AddAuthorization(config =>
{
var policyBuilder = new AuthorizationPolicyBuilder().RequireAuthenticatedUser();

            if (!string.IsNullOrEmpty(defaultSecurityOptions.RequiredRole))
            {
                string[] roles = defaultSecurityOptions.RequiredRole
                    .Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.RemoveEmptyEntries);
                policyBuilder.RequireRole(roles);
            }

            config.FallbackPolicy = policyBuilder.Build();
        });

But, changing the config.ClaimActions.MapJsonKey(ClaimTypes.Role, "role"); with config.ClaimActions.MapJsonKey("role", "role"); everything works as expected !