RBAC Permissions Handler doesn't work with Token at all

aleksandar.kirilov · March 13, 2023, 9:40pm

I’ve followed this tutorial and it doesn’t work.
Also followed this too an still no joy.
And this with the same result.

The problem is the AuthenticationHandler always appears to be void of any claims or user info. I’ve turned on rbac, created a number of permissions and check the option to include them in the token. Checking the token on jwt.io I can clearly see the permissions. Yet, when I’m debug my application the context.User.Claims is consistently empty. I have spent a considerable amount of time reading and I’m yet to get this working which is incredibly frustrating. I’ve turned on Implicit, Password & Client Credentials…no joy. I’ve tried configuring Swagger which appears to work but once again the context.user.Claims is empty. Postman…same thing.

What am I missing? I should not be this complicated to configure…I could’ve written my own complete with a form by now. Even the basic vanilla getting started link above with the HasScopeHandler context.User.Claims is empty out of the box so I’m at a loss.

program.cs

    var domain = $"https://{configuration["Auth0:Domain"]}/";
    var audience = configuration["Auth0:Audience"];
    builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = domain;
        options.Audience = audience;
        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = ClaimTypes.NameIdentifier
        };
    });

    builder.Services.AddAuthorization(options =>
    {
        options.AddPolicy("Admin", policy => policy.Requirements.Add(new DataToolsRoleRequirement(new[] { "Admin", "Non-Admin", "Read-Only" }, domain)));
    });

handler

public class DataToolsRoleHandler : AuthorizationHandler<DataToolsRoleRequirement>
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DataToolsRoleRequirement requirement)
    {
        if (!context.User.HasClaim(c => c.Type == "permissions"))
            return Task.CompletedTask;

        var permission = context.User.FindFirst(c => c.Type == "permissions" && requirement.Permissions.Contains(c.Value) && c.Issuer == requirement.Issuer);

        if (permission == null)
            return Task.CompletedTask;

        context.Succeed(requirement);

        return Task.CompletedTask;
    }
}

The handler fails on the first line even though I can see the permissions in the token on jwt.io.