Try our conversational search powered by Generative AI!

OpenIdConnect - Roles not working - wrong ClaimType



We use OpenIdConnect to authenticate using

I assigned Buyer2 role to some users, but the Cart was not set to RequiresApproval state when cart was over budget.

I found out that in SetRequiresApproval handler, user roles are not correctly evaluated when calling SiteContext.Current.IsUserInRole.

By deep investigation I found out that this is caused by ClaimType mismatch:

  • When using standard login, Identity contains claims with ClaimType=""
  • When using OpenIdConnect, Identity contain claims with ClaimType="role"

ClaimsPrincipal.IsInRole uses ClaimsIdentity.RoleClaimType="" to check the roles.

That means SiteContext.Current.IsUserInRole always returns false.

I implemented a workaround in a form of FixUserRoles handler added to the GetCart handler chain that adds claims with proper ClaimType.

Is there any proper solution for this? When I googled, someone mentioned that old version of System.IdentityModels.Tokens.Jwt may cause this.

Thanks in advance for any input!

Feb 07, 2023 11:38
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.