I’m using Auth0 SDK for .net core. I’m trying to use a permissions based approach on authorizing my users in my controllers.
I tried adding claims based on the permissions I got in the accesstoken using the code below but the claims are not persisting throughout the application so when I put [Authorize(Roles = “CustomRole”)] users are redirected to access denied page.
public void AssignRole(ClaimsPrincipal user, string accessToken)
{
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadJwtToken(accessToken);
var permissionsClaims = token.Claims.FirstOrDefault(c => c.Type.Equals("permissions"));
if (permissionsClaims != null && permissionsClaims.Value.Contains("customPermission"))
{
var claim = new Claim(ClaimTypes.Role.ToString(), "CustomRole");
var identity = (ClaimsIdentity)user.Identity;
identity.AddClaim(claim);
}
}
Here’s what I have in the startup.cs
services.AddAuth0WebAppAuthentication(options =>
{
options.Domain = Configuration["Auth0:Domain"];
options.ClientId = Configuration["Auth0:ClientId"];
options.ClientSecret = Configuration["Auth0:ClientSecret"];
})
.WithAccessToken(options =>
{
options.Audience = Configuration["Auth0:Audience"];
options.UseRefreshTokens = true;
});
I’m fairly new with Auth0 so I’m not sure what’s the best approach for this.
I also tried this but doesn’t work:
services.AddAuthorization(options =>
{
options.AddPolicy("WriteAccess", policy =>
policy.RequireClaim("permissions", "create:term", "update:term"));
options.AddPolicy("DeleteAccess", policy =>
policy.RequireClaim("permissions", "delete:term"));
});