[Bug] RolesRequiredHttpContextExtensions.ValidateAppRole will only check first role claim and fail when there are many role claims #374
Comments
adriannasui
changed the title
|
@adriannasui thanks you. we definitely welcome outside contributions, so feel free to propose a PR. |
|
@adriannasui We are thinking of throwing now if the roles do not match, verses returning to the controller, because the controller could continue to do things it shouldn't at that point. We are still looking at the user experience here, but if you have thoughts on this, let us know. Changes are in this branch. thank you. |
|
sorry about not answering, seems my github notifications are not properly setup on my part. |
|
Thanks for the quick feedback @adriannasui ....we agree that throwing seems safer and less "magical" |
|
Included in 0.2.2-preview release |
Hi, I encountered an issue on version 0.2.1-preview where calling ValidateAppRole will not work as expected.
Issue happens when i call ValidateAppRole and my access token has a 'roles' claim containing an array of roles. Somwhow, my 'roles' claim gets transformed into multiple 'role' claims in context.HttpContext.User. And the code inside ValidateAppRole is not properly written to handle this scenario, it only looks at the first 'role' claim and my call fails with 403.
This is the line where I found the issue.
microsoft-identity-web/src/Microsoft.Identity.Web/Resource/RolesRequiredHttpContextExtensions.cs
Line 51 in f6c3110
This code will incorrectly stop on the first role claim.
Please let me know it any more info is needed, I could even do a PR to solve this, I will do a quick custom implementation of ValidateAppRole just to move on with my project.
Thanks
The text was updated successfully, but these errors were encountered: