Roles in ASP.NET System.Web sample

I am trying to use the sample code to authenticate users in my site which I have successfully done.

However, in the sample there is some commented out code that is related to roles and claims. When I uncomment these, the fields they try to access do not exist

eg.

 // NOTE: Uncomment the following code in order to include claims from associated identities
        profile.Identities.ToList().ForEach(i =>
        {
            user.Add(new KeyValuePair<string, object>(i.Connection + ".access_token", i.AccessToken));
            user.Add(new KeyValuePair<string, object>(i.Connection + ".provider", i.Provider));
            user.Add(new KeyValuePair<string, object>(i.Connection + ".user_id", i.UserId));
        });

But the profile object doesn’t have an Identities field, likewise,

  // NOTE: uncomment this if you send roles
        user.Add(new KeyValuePair<string, object>(ClaimTypes.Role, profile.ExtraProperties"roles"]));

the profile doesn’t have an ExtraProperties field

What am I doing wrong here?

At this time you could say there’s two flavours of the authentication API that can be used; the legacy one and the new flows generally referred to as OIDC compliant or API Authorization related. There are some changes between the legacy flows vs the new ones and one of those changes is that by default the user (profile) information returned to the client application complies with the claims defined as part of the OIDC specification.

The above means that in the new flows, there’s less information returned by default when the client asks for user information. One of the pieces of information that will not be returned is the identities section so (assuming you’re using the new flows which you should) this explains why profile.Identities is not available.

In addition to only sending standard OIDC information you can include custom information both in the token and as part of the response to the /userinfo endpoint, however, this custom information needs to be included within namespaced claims. Before you could include a roles claims which is not defined in the standard, but now if you want to include roles information you would need to do it with a namespaced claim like https://example.com/roles. See more about this at: OpenID Connect Scopes

The use of namespaced claim would also mean that you would also likely need to update the extra properties code section to query the custom claims instead of just roles.