Authorize Policy attribute always returns 403 forbidden using .net core Identity and JwtBearerAuthentication

The answer is in this mdsn blog post:

Authorizing based on roles is available out-of-the-box with ASP.NET Identity. As long as the bearer token used for authentication contains a roles element, ASP.NET Core’s JWT bearer authentication middleware will use that data to populate roles for the user.

So, a roles-based authorization attribute (like [Authorize(Roles = "Manager,Administrator")] to limit access to managers and admins) can be added to APIs and work immediately.

So I added an element to my access token object called roles:

private string GetAccessToken(string userRole)
{
    var payload = new Dictionary<string, object>
    {
        ...
        { "roles", userRole } 
    };
    return GetToken(payload);
}

Authorize Policy attribute always returns 403 forbidden using .net core Identity and JwtBearerAuthentication

Tags:

Asp.Net

Asp.Net Core

Claims Based Identity

Jwt

Asp.Net Identity

Related

Recent Posts