Blazor WASM permission based Authorization

Wish to authorise a user based on their permission assigned by their roles (using RBAC) on Blazor. in other words display portion of UI based on user permissions. the rbac and “permission to be added” are enabled.
We were able to get it worked on the backend (.net core 6) however we having issue for its the frontend (WASM).

After a user login to the app a cockie is saved with informations of ID-token and Access token
ID-token has user assigned role but lack of assigned permissions
Access token have both User roles and permission
following has been done to setup the blazor client:
1- added following code to the program.cs
builder.Services.AddOidcAuthentication(options => {
builder.Configuration.Bind(“Auth0”, options.ProviderOptions);
options.ProviderOptions.ResponseType = “code”;
options.ProviderOptions.AdditionalProviderParameters.Add(“audience”, builder.Configuration[“Auth0:Audience”]);
}).AddAccountClaimsPrincipalFactory<ArrayClaimsPrincipalFactory>();

builder.Services.AddAuthorizationCore(options =>
options.AddPolicy(“admin”, policy => policy.RequireClaim(“permissions”, “read:user”)));

2- added following attr to the view page
@attribute [Authorize(Policy = “admin”)]

after running the app the following information is written to the chrome console and the page is show that is not athorized.
shown in the console:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
ClaimsAuthorizationRequirement:Claim.Type=permissions and Claim.Value is one of the following values: (read:user)

after investigation found that since Authorize(Policy = “admin”) look for permissions in the ID token rather than access token, it fails.

Please advice how to overcome this issue.

Same issue. It appears the user claims aren’t populated. var scopes = context.User.FindFirst(c => c.Type == “scope” && c.Issuer == requirement.Issuer) from HasScopeHandler can’t find a claim.

Has anyone been able to help with this, I have the same issue, not seeing permissions in .NET 7 client app but they are available in my .NET 7 API

This seems to be by design. Id tokens dont contain permissions. Anyone at Auth0 having thoughts on this? How do I block a route, part of page or whole page based on permissions?

Hi @p.hezaveh and everyone!

Indeed, the ID token does not contain claims such as the user roles. In order for you to have access to them inside the ID Token, you would need to set them as custom claims using a post login action:

exports.onExecutePostLogin = async (event, api) => {
  const roleClaim = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role';
  
  if (event.authorization) {
    api.idToken.setCustomClaim(roleClaim, event.authorization.roles);
  }
};

You can take a look at this blog post made by one of our developers, Andrea Chiarelli regarding building a WASM application with RBAC:

• Role-Based Access Control (RBAC) in Blazor Applications

Hope this helps!

If you have any other questions, feel free to leave a reply or post again on the community!

Kind Regards,
Nik