.NET identity database model confusion regarding Roles and Claims

Question

I'm using ASP.NET Identity to implement authentication and authorization in my web API app. I'm a bit confused with the good old Roles vs Claims question, and I have not yet found a clear answer.

From what I understood from this video the claims-based authorization shifts the perspective by stating that a role is just a specific type of a claim - one with key 'Role' and value of 'Admin' or 'User' or whatever.

However I am reviewing a diagram of tables created by the .NET identity and seeing some contradictions.

From the diagram above we can conclude the following:

• Roles can be assigned to users through a dedicated table (AspNetUserRoles)
• Claims can be assigned directly to users (AspNetUserClaims)
• Claims can be assigned to roles (AspNetRoleClaims)

Most of my confusion comes from the fact that Claims can be assigned to Roles (through the AspNetRoleClaims), while a lot of literature, some by Microsoft itself, say that logically a Role is a specific type of claim. This is in direct contradiction to this DB model as this makes Claims be owned by Roles.

Well, it technically doesn't make them owned since, as mentioned in the list above, Claims can also be directly given to the User through the AspNetUserClaims table. Is this supposed to be an alternative approach? Because if both this and the previous approach are used then it opens up room for redundancies an inconsistencies.

For instance, a user U can be granted role R which itself has claims C1=x1, C2=x2 and C3=x3. Then someone can grant the user U some claims directly, for example C1=y1 which would cause a contradiction - how would we know whether the value of C1 for user U is x1 or y1?

I hope I have explained my misunderstanding well enough.

Thanks in advance :)