We're having a problem with an OIDC-integration on .NET 5/CMS 12 - the integration itself is working fine, a user is sent to the identity provider and redirected back to the CMS as expected.
However, since this identity provider doesn't provide any roles, we need to have a way to add them to a virtual role ourselves, as identifying with this provider should authorize you to a specific part of the site.
To do this, we've tried adding a claim in the OnTokenValidated-Event, like so:
options.Events.OnTokenValidated = (context) =>
var ident = (ClaimsIdentity)context.Principal.Identity;
ident.AddClaim(new Claim(ClaimTypes.Role, "SomeRole"));
var redirectUri = new Uri(context.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
context.Properties.RedirectUri = redirectUri.PathAndQuery;
This seemingly works, as inspecting the user in any ControllerContext now shows that he has the correct claim.
However, the virtual role mapping we've set up ignores this claim:
"MappedRoles": [ "SomeRole" ],
"ShouldMatchAll" : "false"
The user does not have the virtual role (replacing "SomeRole" with "Everyone" works, so the is set up correctly).
I also tried creating a custom VirtualRole by inheriting VirtualRoleProviderBase, and the IPrincipal argument that gets sent into that does not have any claims other than two role claims for "Everyone" and "Anonymous" - trying to read it from IHttpContextAccessor (in the VirtualRole) yields the same result, no claims there either.
So, seeing as it works in the context of a controller, but not here - what step am I missing? Grateful for any ideas!
It looks like you need to use SupportsClaims to add your claim to the current principle — as described in the documentation here: