I'm playing with Identity Server v4 (but I thinks is the same with v3) and .NET Core.
Right now I've strange issue that I don't understand.
From my MVC application I use the [Authorize(Roles="Geek")] to protect my controllers/actions.
Looking the current User from the HttpContext all the Roles are available as Claims and not as Roles (in fact User.IsInRole("Geek") return false).
Moreover I can't use the Claims with the authorize attribute because all role are stored into the claims collection with the same key ("role" of course).
Is there a way to have automatically all the claims with the key "role" also as role for the current principal?
I tried to play with "on token validate event" but without success.
I'm trying the sample repo, so my code is pretty the same of this https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/MVC%20and%20API
Any hint?
Do the role claims have a "Type" property value of "role" or is it a URI like "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"? If it is "role" rather than a URI you may be setting your InboundClaimTypeMap to an empty dictionary as described in the documentation (see Claims Transformation section here). If you have the following line in your startup code try removing it:
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
The default InboundClaimTypeMap will map some JWT claims into System.Security.Claims.ClaimTypes which use a full URI. One of those mapped is role.
A ClaimsIdentity's IsInRole method will use a property called RoleClaimType to determine the string value to match against a claim's Type property to find the list of available roles. Your required role text is then matched against the values in the resulting list of matching claims. A default ClaimsIdentity will use System.Security.Claims.ClaimTypes.Role to look for role claims in the identity.
If you want your app to continue to use JWT claim type syntax you will need to create a new ClaimsIdentity in a SecurityTokenValidated Notification event. The ClaimsIdentity constructor allows you to specify the text to use when matching claim roles. In this case the text would be just "role".