AuthorizeAttribute with ASP.NET Identity

Question

I have a controller which is protected by the [Authorize] attribute.

This works very good (I am sent back to login if I am not logged in), but I wish to add some roles to this attribute, I've read that its possible to do something like [Authorize(Roles = "Customer"] but when I do this I am instantly sent back to the login page on my application?

Is this Roles override not working with the new ASP.NET Identity? On my user creation I am adding the user to the by the following code:

var user = new ApplicationUser {UserName = model.Username};
var result = UserManager.Create(user, model.Password);
if (result.Succeeded)
{
    UserManager.AddToRole(user.Id, "Customer");
    SignIn(user, false);

    return RedirectToAction("Done");
}

And according to the database the user is in this role. Why is this not working? Am I missing a configuration or some sort?

Answer 1

I am going to answer my own question.

The reason this was not working (hours of digging around) it was because my context had the following:

Configuration.ProxyCreationEnabled = false;

This made lazyloading disabled and therefore roles not included, when the user was loaded!

So the fix was to enable this or remove the line.

UPDATE: 2015-05-01

This was a bug, fixed in the 2.0.0-alpha1 release. Thus, this workaround is no longer necessary going forward, and the Roles will load regardless of this setting.

Does Identity Owin require LazyLoading?

Answer 2

Checkout this answer: ASP.NET Identity check user roles is not working

In your case, while checking for the case, compare the case of IdentityRole record and Authorize Attribute. Do not compare with the UserManager.AddToRole(user.Id, "Customer");

Answer 3

It works fine with AspNet Identity in my case. Are you sure you:

• haven't customized Authorization filters or done it right?
• haven't reconfigured authentication/authorization in web.config?
• have proper entries in AspNet Identity tables: AspNetUsers, AspNetRoles, AspNetUserRoles (the role exists and the user has it)?

Answer 4

Create a role like so:

RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(new MyDbContext()));
var roleresult = RoleManager.Create(new IdentityRole(roleName));

Then, add a user like so:

var currentUser = UserManager.FindByName(user.UserName); 
var roleresult = UserManager.AddToRole(currentUser.Id, "Superusers");

Please let me know if this works for you.

Answer 5

i write a sample to test it,it works good.so i think there 2 points
1.you cookie not save to browser
2.you cookie not with a role info

check you cookie, is there a cookie named ".AspNet.ApplicationCookie" (default name)
if not so check you broswer allow write cookie,or the code you write cookie
if exsit ,you can create a class extends

ISecureDataFormat<AuthenticationTicket>  

and config

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            TicketDataFormat=new T()

        });

new T() is the class
in this class you need do

public string Protect(AuthenticationTicket data)

and

public AuthenticationTicket Unprotect(string protectedText)

it is some thing about serialize
you can set a break point,and check the data,
in data.Identity.Claims (a IEnumerable< Claim>) should have a Claim with your role info