ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,157 questions
Razor Page Authorization for Roles
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 8%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Michael Mastro II
51
Reputation points
Good evening. I have been trying to get Authorization working with a Razor Page. I have tried multiple thing but none have worked. So, If I have AuthenticationSchemes = "ClientCookie" in the Authorize by itself, it will work, but it does not prevent a user that should not have access to the page from accessing it. If I try to use Roles, it redirects me to Account/AccessDenied?RazorPageIWasTryingToAccess. I have even tried AuthorizeAreaPage and AuthorizeAreaFolder in the startup of the razor page and am continually sent to AccessDenied for all Razor Pages that have Authorization.
So with the Conventions my startup looks as follows:
public void ConfigureServices(IServiceCollection services)
{
services.AddSession();
services.AddMemoryCache();
services.AddAuthorization(options =>
{
options.AddPolicy("LotroAdmin", policy => policy.RequireRole("LOTRO Administrator"));
options.AddPolicy("SiteAdmin", policy => policy.RequireRole("Site Administrator"));
});
services.AddRazorPages(options =>
{
options.Conventions.AuthorizeAreaPage("Administration", "/UserManagement", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/UserDetails", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/RoleManagement", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/RemoveRole", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/EditUser", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/EditRole", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/AllUsers", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/AllUnapprovedUsers", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/AllDeniedUsers", "SiteAdmin");
options.Conventions.AuthorizeAreaPage("Administration", "/AddRole", "SiteAdmin");
options.Conventions.AuthorizeAreaFolder("Administration", "/Lotro", "SiteAdmin");
options.Conventions.AuthorizeAreaFolder("Administration", "/Lotro", "LotroAdmin");
});
//snipped for brevity
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "ClientCookie";
options.DefaultSignInScheme = "ClientCookie";
options.DefaultChallengeScheme = "LoginServer";
})
.AddCookie("ClientCookie");
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseSession();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
endpoints.MapControllers();
});
}
If I removed the options from the services.AddRazorPages(); It works if I place the following on the Razor Pages:
[Authorize(AuthenticationSchemes = "ClientCookie")]
If I have the below it does not work:
[Authorize(AuthenticationSchemes = "ClientCookie", Roles = "Site Administrator")]
Nothing is showing as to why it is Access Denied in the debug log, Kestrel for the Web Api or Kestrel for the Razor Pages.
A page this fails on and sends me to the Access Denied is as simple as this:
[Authorize(AuthenticationSchemes = "ClientCookie", Roles = "Site Administrator")]
public class LotroManagementModel : PageModel
{
public void OnGet()
{
}
}
This is what I get when I try to hit that page (also the Access Denied page seems broken too):
Any thoughts on how to get the roles to work with the Razor Pages? It seems like the policy method does not work, or the roles do not work.
I followed guidance on the following pages:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/razor-pages-authorization?view=aspnetcore-3.1
Edit:
Here is the code from the Login Razor Page that assigns the everything to the ClientCookie.
var loginReturn = await _client.LoginPostAsync(apiVersion, dataToSend);
if (loginReturn.SignInResult.Succeeded)
{
var claim = new Claim(ClaimTypes.Name, loginReturn.Principal.Name);
var identity = new ClaimsIdentity(new[] { claim }, loginReturn.Principal.AuthenticationType);
if (loginReturn.Access_Token != null)
{
ReturnUrl = loginReturn.ReturnUrl;
Response.Cookies.Append("Email", Input.Email, new CookieOptions { HttpOnly = true, Secure = true, IsEssential = true });
Response.Cookies.Append("ClientCookiePersist", Input.RememberMe.ToString(), new CookieOptions { HttpOnly = true, Secure = true, IsEssential = true });
HttpContext.Session.SetString("access_token", loginReturn.Access_Token);
await HttpContext.Session.CommitAsync();
// Add all the Roles and Databases here
var base64Payload = loginReturn.Access_Token.Split('.')[1];
var bytes = Base64UrlTextEncoder.Decode(base64Payload);
var jsonPayload = Encoding.UTF8.GetString(bytes);
var claims = JsonSerializer.Deserialize<Dictionary<string, object>>(jsonPayload);
foreach (var cl in claims)
{
identity.AddClaim(new Claim(cl.Key, cl.Value.ToString()));
}
var principal = new ClaimsPrincipal(identity);
await HttpContext.SignInAsync(scheme: "ClientCookie", principal);
}
_logger.LogInformation("User logged in.");
return LocalRedirect(ReturnUrl);
}
{count} votes
-
AgaveJoe 26,191 Reputation points2021-06-23T13:18:01.53+00:00 You did not share the code that assigns roles or authentications the user. The Use cookie authentication without ASP.NET Core Identity doc illustrates how to assigns claims/roles manually. If you are using a 3rd party authentication provider then you'll need to read the docs or explain what you're using.
-
Michael Mastro II 51 Reputation points
2021-06-23T15:05:11.23+00:00 It seems like I cannot post that in the comments here. But it is part of the Login Razor Page, which calls the Web API and gets that back from the Web API. I will try and edit the above to add that. Otherwise it is more than characters than is allowed.
-
AgaveJoe 26,191 Reputation points
2021-06-23T15:52:04.567+00:00 You did not share how the token was created. Does the claim "role" exist in the token and is the value "Site Administrator"? Run the code through the debugger to see what's going on.
-
Michael Mastro II 51 Reputation points
2021-06-23T18:03:54.913+00:00 If I look at the debug, I am seeing the following:
-
AgaveJoe 26,191 Reputation points
2021-06-23T18:17:26.393+00:00 The role property is defined as an array...
{role: ["LOTRO Administrator", "Site Administrator"]}...but your code expects a string.
foreach (var cl in claims) { identity.AddClaim(new Claim(cl.Key, cl.Value.ToString())); }Fix the code to handle claims that are array types.
On a side note, I do not see code that validates the token signature. This design could be vulnerable to an intermediary changing the token.
Sign in to comment