Use API access token to Authorize in .net Core MVC?

I’m using Auth0 SDK for .net core. I’m trying to use a permissions based approach on authorizing my users in my controllers.

I tried adding claims based on the permissions I got in the accesstoken using the code below but the claims are not persisting throughout the application so when I put [Authorize(Roles = “CustomRole”)] users are redirected to access denied page.

public void AssignRole(ClaimsPrincipal user, string accessToken)
        {
            var handler = new JwtSecurityTokenHandler();
            var token = handler.ReadJwtToken(accessToken);
            var permissionsClaims = token.Claims.FirstOrDefault(c => c.Type.Equals("permissions"));

            if (permissionsClaims != null && permissionsClaims.Value.Contains("customPermission"))
            {
                var claim = new Claim(ClaimTypes.Role.ToString(), "CustomRole");
                var identity = (ClaimsIdentity)user.Identity;
                identity.AddClaim(claim);
            }
        }

Here’s what I have in the startup.cs

services.AddAuth0WebAppAuthentication(options =>
            {
                options.Domain = Configuration["Auth0:Domain"];
                options.ClientId = Configuration["Auth0:ClientId"];
                options.ClientSecret = Configuration["Auth0:ClientSecret"];
            })
            .WithAccessToken(options =>
            {
                options.Audience = Configuration["Auth0:Audience"];
                options.UseRefreshTokens = true;
                
            });

I’m fairly new with Auth0 so I’m not sure what’s the best approach for this.
I also tried this but doesn’t work:

 services.AddAuthorization(options =>
      {
        options.AddPolicy("WriteAccess", policy => 
                          policy.RequireClaim("permissions", "create:term", "update:term"));
        options.AddPolicy("DeleteAccess", policy => 
                          policy.RequireClaim("permissions", "delete:term"));
      });

I figured it out. I added this on the configureservices method for auth0

 services.AddAuth0WebAppAuthentication(options =>
            {
                options.Domain = Configuration["Auth0:Domain"];
                options.ClientId = Configuration["Auth0:ClientId"];
                options.ClientSecret = Configuration["Auth0:ClientSecret"]; 
                options.OpenIdConnectEvents = new OpenIdConnectEvents
                {
                    OnTokenValidated = (context) =>
                    {
                        var accessToken = context.TokenEndpointResponse.AccessToken;

                        var handler = new JwtSecurityTokenHandler();
                        var token = handler.ReadJwtToken(accessToken);
                        var permissionsClaims = token.Claims.FirstOrDefault(c => c.Type.Equals("permissions"));
                        if (permissionsClaims != null && permissionsClaims.Value.Contains("customPermission"))
                        {
                            var claim = new Claim(ClaimTypes.Role.ToString(), "CustomRole");
                            (context.Principal.Identity as ClaimsIdentity).AddClaim(claim);
                        }

                        return Task.CompletedTask;
                    }
                };
            })
1 Like

Woohoo perfect! Glad you have figured it out and thanks for sharing it with the rest of community!