Trouble with Policies in .NET Core API

Questions
1

I have a .Net Core hosted Blazor SPA. The Blazor client sends api requests to the .NET Core backend. I have Okta set up and working on the client side. On the client side, groups were not being mapped to roles, so I had to create a RolesClaimsPrincipalFactory class as described here:

I seem to be having the same issue on the API side. My authorize attributes work on my controllers, but once I assign a policy to the authorize attribute on the endpoints they do not work.

How can I map the groups claim to roles in .NET Core?

My Startup.cs looks like this:

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
            options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
            options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
        })
        .AddOktaWebApi(new OktaWebApiOptions()
        {
            OktaDomain = Configuration["Okta:OktaDomain"],
        });
        services.AddAuthorization(options =>
        {
            options.AddPolicy(Policies.IsCommish, Policies.IsCommishPolicy());
            options.AddPolicy(Policies.IsManager, Policies.IsManagerPolicy());
        });

And I have my policies defined in the shared project:

    public static class Policies
{
    public const string IsCommish = "IsCommish";
    public const string IsManager = "IsManager";

    public static AuthorizationPolicy IsCommishPolicy()
    {
        return new AuthorizationPolicyBuilder().RequireAuthenticatedUser()
                                               .RequireRole("Commish")
                                               .Build();
    }

    public static AuthorizationPolicy IsManagerPolicy()
    {
        return new AuthorizationPolicyBuilder().RequireAuthenticatedUser()
                                               .RequireRole("Managers")
                                               .Build();
    }
}

Thanks!

2

I was able to get this working by adding a GroupsToRolesTransformer:

public class GroupsToRolesTransformer : IClaimsTransformation
{
private OktaClient client;

public GroupsToRolesTransformer(IOktaSettings settings)
{
    client = new OktaClient(new OktaClientConfiguration
    {
        OktaDomain = settings.OktaDomain,
        Token = settings.Token
    });
}

public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal IPrincipal)
{
    var idClaim = IPrincipal.FindFirst(x => x.Type == ClaimTypes.NameIdentifier);
    if (idClaim != null)
    {
        var user = await client.Users.GetUserAsync(idClaim.Value);
        if (user != null)
        {
            var groups = user.Groups.ToEnumerable();
            foreach (var group in groups)
            {
                ((ClaimsIdentity)IPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, group.Profile.Name));
            }
        }
    }
    return IPrincipal;
}

}

And in startup.cs:

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
            options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
            options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
        })
        .AddOktaWebApi(new OktaWebApiOptions()
        {
            OktaDomain = Configuration["OktaSettings:OktaDomain"]
        });
        services.AddAuthorization(options =>
        {
            options.AddPolicy(Policies.IsCommish, Policies.IsCommishPolicy());
            options.AddPolicy(Policies.IsManager, Policies.IsManagerPolicy());
        });

I generated a token from the API>Tokens menu and provided that.

3

@Epos7 It is glad to know the issue is resolved and thanks for sharing your fix. This dev topic is closed now.