Bearer was forbidden with Authorize filter in IdentityServer4

Question

While testing IdentityServer4 with AspNetAuthorization tutorial I added the a simple [Authorize(Roles = "Administrator")] and since then I get this error:

AuthenticationScheme: Bearer was forbidden.

My user has this claim: new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String).

In ConfigureServices method:

 services.AddAuthorization(options =>
        {
            options.AddPolicy("AdministratorOnly", policy => policy.RequireRole("Administrator"));
        });

        services.AddMvc(config =>
        {
            var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();

            config.Filters.Add(new AuthorizeFilter(policy));
        });

and in Configure method:

   app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions()
        {
            Authority = "http://localhost:5000",
            ScopeName = "openid",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,
        });

Debug output:

Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Debug: Executing action LearningEntityServer4.OAuth.ValuesController.Get (LearningEntityServer4.OAuth)
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful for user: myuser.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed for user: myuser.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes ().
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware: Information: AuthenticationScheme: Bearer was forbidden.

What I missed in the configurations?

PS: I already checked this SO post with no success.

Answer 1

In fact, I fixed my problem before reading @leastprivilege detailed answer.

The problem was with the naming of the claim types,

I changed the following:

new Claim(ClaimTypes.Role, "Administrator");

to this:

new Claim(JwtClaimTypes.Role, "Administrator");

and the authorization worked. That's because the underlying string values between these differ and my configuration was expecting the "role" one:

ClaimTypes.Role => "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
JwtClaimTypes.Role => "role"

or one can do this based on his answer:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions()
    {
        Authority = "http://localhost:5000",
        ScopeName = "scope",
        ScopeSecret = "secret",
        AutomaticAuthenticate = true,
        AutomaticChallenge = true,
        RequireHttpsMetadata = false,

        RoleClaimType = "role"

    });

For detailed reasons behind it, read @leastprivilege answer

Answer 2

I finally found the time to write up the internals of how role checks work in the claims world:

https://leastprivilege.com/2016/08/21/why-does-my-authorize-attribute-not-work/

In short - make sure the claim types you use for roles match the RoleClaimType on your ClaimsIdentity. Or replace RequireRole with RequireClaim in your policy and use the right types.

Answer 3

Per the attached resource it appears that you should actually be placing the policy name in the authorize attribute like so [Authorize("AdministratorOnly")].

https://damienbod.com/2016/02/14/authorization-policies-and-data-protection-with-identityserver4-in-asp-net-core/