As per JWT docs only minimal info is stored in the JWT, anything else needs to explicitly included and extracted using JWT AuthProvider filters.
That was helpful, I solved the missing roles by copying the code from the MicrosoftGraphProvider that gets the roles from the id_token inside the CreatePayloadFilter.
I also have a mismatch between the ss-tok email address and the ClaimsIdentity email claim that is created from the BlazorServerAuthenticationStateProvider. When I use https://jwt.io to inspect the ss-tok cookie, I see my email address clearly stored there. However, when I use User.GetEmail() to retrieve the user’s email address, it comes back with the username field from UserAuthDetails, which is a guid field and not my email address.
I can see on line 303 of BlazerServerUtils where this is being set:
new Claim(ClaimTypes.Email, session.UserName),
What is the best way to alter this functionality?
I’ve moved the claims generation to the overridable AsClaimsAsync()
on AuthUserSession and changed the default behavior to only use UserAuthName if it’s an Email otherwise it will default to Email
property in this commit.
This change is available from v6.5.1 that’s now available on MyGet.