RolePrincipal.IsInRole not checking "roles" claim.

[ManelBH]

Type of issue

Code doesn't work

Description

I have a JWT that looks like this:

{
  "aud": "xxx",
  "iss": "https://login.microsoftonline.com/xxx/v2.0",
  ...,
  "azp": "xxx",
  "roles": [
    "my_role"
  ],
  ...
  "ver": "2.0"
}

This token is processed by the Azure Application Service Authentication layer and I can see the "roles" claim defined in my ClaimsPrincipal. Therefore when I run:

HttpContext.User.IsInRole("my_role");

I was expecting this to return true but it returns false. It's not really clear in the docs why this wouldn't work.

Page URL

https://learn.microsoft.com/en-us/dotnet/api/system.web.security.roleprincipal.isinrole?view=netframework-4.8.1

Content source URL

https://github.com/dotnet/dotnet-api-docs/blob/main/xml/System.Web.Security/RolePrincipal.xml

Document Version Independent Id

adcabe65-9e9e-0eb4-20fc-766acfea926e

Article author

@Rick-Anderson

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[bartonjs]

This sounds more like a functional bug than a documentation bug. Looking at the source of RoleProvider.IsInRole, it seems that the bug really belongs with whatever concrete IIdentity type you're using. Do you know what type that is?

[ManelBH]

Looking at the source of

Then the documentation wasn't enough to understand how this works, was it?

[ManelBH]

Ok now I realize this isn't a RolePrincipal but a ClaimsPrincipal, the ClaimsPrincipal page says something about this indeed.

[ManelBH]

The ClaimsPrincipal page shed some light into it. This:

req.HttpContext.User.Identities.Select(x => x.RoleClaimType);

Has only this type (appearing twice):
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
That's why it doesn't work. It's still unclear to me why "roles" isn't checked given that's how's defined in Microsoft's own token, now it does look like a bug. How it is decided which RoleClaimTypes to use?

[bartonjs]

How it is decided which RoleClaimTypes to use?

That's a question for the specific class. ClaimsPrincipal.IsInRole just answers the logical or of all of the ClaimsIdentity.HasClaim calls; so it's a function of what the specific ClaimsIdentity implementation (or other IIdentity that the ClaimsIdentity is wrapping) does to populate the Claims collection.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones