1

I have successfully created a simple MVC 6 application which uses my own ApplicationUser, an ApplicationUserStore (implementing IUserStore and IUserPasswordStore) and ApplicationUserManager (extending UserManager). The login does now work perfectly. Now I do want to extend my project to support annotations in my controllers like the following: 

[Authorize(Roles = "TestRole")]
public IActionResult Trips()
{
  ...
}

Therefore I have also created my own ApplicationRole, ApplicationRoleManager, ApplicationRoleStore and registered them in my Startup:

    services.AddIdentity<ApplicationUser, ApplicationRole>(config =>
    {
        config.User.RequireUniqueEmail = true;
        config.Password.RequiredLength = 8;
        config.Cookies.ApplicationCookie.LoginPath = "/Auth/Login";
        config.Cookies.ApplicationCookie.AutomaticAuthenticate = true;
    }).AddUserStore<ApplicationUserStore<ApplicationUser>>()
    .AddRoleStore<ApplicationRoleStore<ApplicationRole>>()
    .AddUserManager<ApplicationUserManager>()
    .AddRoleManager<ApplicationRoleManager>();

My problem is now that the annotation does not work at all. Actually I hoped that somehow the Roles method (from IQueryableRoleStore) in my ApplicationRoleStore would be fired.

Do I miss somewhere I binding or do I have a complete wrong idea of the identity/role concept?

marco birchler
  • 1,566
  • 2
  • 21
  • 45
  • Hi Marco! Can you contact me at dawidr@epoczta.pl? I got some questions about implementing role and custom identity users implementation in ASP.NET 5. – Dawid Rutkowski Dec 14 '15 at 19:21

1 Answers1

2

Authorize attribute:

[Authorize(Roles = "TestRole")]
public IActionResult Trips()
{
  ...
}

is not going to invoke any identity stuff. It is only going to check if the current user is in the role "TestRole" and only allow access if the user is in the role. This will be a check against the role cookie.

You still need to build your own UI for managing role membership, adding removing users from roles in order to get that role into a user's cookie.

If you need more ideas I have a project here that has role management implemented as well as Identity without entity framework

Joe Audette
  • 35,330
  • 11
  • 106
  • 99
  • Thanks Joe. What do you mean with "check against the role cookie"? Where is the code for this check? As my users don't need their own roles I actually don't need the UI for managing the roles. I can live with a hardcoded fixed set of roles. And now I am going to check our your project in detail. – marco birchler Dec 10 '15 at 07:23