Very Strange Issue in Authentication - Cause Roles to come back wrong

Sigh.

These must be App roles used in Attributes.

I understand what you say, but it return all App Roles on localhost(as you explained), but when deployed and running in a docker container in aws and pointing to the same db with exactly the same source code and logging into the same user it only shows the user as having the Admin Role. I tried to reproduce it using a clean project with ormlite, but am not able to reproduce. We can do a zoom session you you can take remote control over my pc on the project that is giving the issues. It is mostly autoquery autocrudgen stuff with some views. Very little code that can cause this.

This definitely sounds environment related since “Client” and “Partner” aren’t something we have in any templates or samples that I can think of.

Are you sharing a remote cache server? If so, how is a cache entry resolved? Eg, by email/id/something else? Is it possible this shared resource is conflicting in ways between deployments/databases etc?

Remove any shared infra (eg, create a stand alone reproduction) and you will likely find the root cause of the issue.

It returns App roles for the Admin user which indicates you have it defined in your code base, do a simple string search in your code base to find it, otherwise create a stand alone repro.

So we use a shared Postgres db sitting on the cloud for tables and for cache. So both the localhost (on my machine) and the one on the cloud, point to the same database. I created a release and sent it to one of my developers who did a dotnet run on exactly the same project with same db, and only get Admin as the role when he log in. When I run the same release on my PC, I get Admin,SuperUser as my roles. I clear browser cache and cookies and CacheEntry caching table before logging in. CacheEntry table show just Admin as the role.

I went to postman now and did the following two calls.

https://marketinnovationsapi.dev.scad.tk/auth/login.json. Below is the response.

{

    "UserId": "1",

    "SessionId": "MOhBNGObvTdxG4jxlmiE",

    "UserName": "andy.fensham@scadsoftware.com",

    "DisplayName": "Andy Fensham",

    "ProfileUrl": "data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E %3Cstyle%3E .path%7B%7D %3C/style%3E %3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V84.14C1 84.14 2.38 78.81 8.81 77.16C8.81 77.16 19.16 73.37 27.26 69.85C31.46 68.02 32.36 66.93 36.59 65.06C36.59 65.06 37.03 62.9 36.87 61.6H40.18C40.18 61.6 40.93 62.05 40.18 56.94C40.18 56.94 35.63 55.78 35.45 47.66C35.45 47.66 32.41 48.68 32.22 43.76C32.1 40.42 29.52 37.52 33.23 35.12L31.35 30.02C31.35 30.02 28.08 9.51 38.95 12.54C34.36 7.06 64.93 1.59 66.91 18.96C66.91 18.96 68.33 28.35 66.91 34.77C66.91 34.77 71.38 34.25 68.39 42.84C68.39 42.84 66.75 49.01 64.23 47.62C64.23 47.62 64.65 55.43 60.68 56.76C60.68 56.76 60.96 60.92 60.96 61.2L64.74 61.76C64.74 61.76 64.17 65.16 64.84 65.54C64.84 65.54 69.32 68.61 74.66 69.98C84.96 72.62 97.96 77.16 97.96 81.13C97.96 81.13 99 86.42 99 92.85L1 92.84Z'/%3E%3C/g%3E%3C/svg%3E",

    "Roles": [

        "Admin"

    ],

    "Permissions": []

}

and

https://localhost:5001/auth/login.json. Below is the response.

{

    "UserId": "1",

    "SessionId": "SgAfpgLIUxr30AwGZ7U2",

    "UserName": "andy.fensham@scadsoftware.com",

    "DisplayName": "Andy Fensham",

    "ProfileUrl": "data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E %3Cstyle%3E .path%7B%7D %3C/style%3E %3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V84.14C1 84.14 2.38 78.81 8.81 77.16C8.81 77.16 19.16 73.37 27.26 69.85C31.46 68.02 32.36 66.93 36.59 65.06C36.59 65.06 37.03 62.9 36.87 61.6H40.18C40.18 61.6 40.93 62.05 40.18 56.94C40.18 56.94 35.63 55.78 35.45 47.66C35.45 47.66 32.41 48.68 32.22 43.76C32.1 40.42 29.52 37.52 33.23 35.12L31.35 30.02C31.35 30.02 28.08 9.51 38.95 12.54C34.36 7.06 64.93 1.59 66.91 18.96C66.91 18.96 68.33 28.35 66.91 34.77C66.91 34.77 71.38 34.25 68.39 42.84C68.39 42.84 66.75 49.01 64.23 47.62C64.23 47.62 64.65 55.43 60.68 56.76C60.68 56.76 60.96 60.92 60.96 61.2L64.74 61.76C64.74 61.76 64.17 65.16 64.84 65.54C64.84 65.54 69.32 68.61 74.66 69.98C84.96 72.62 97.96 77.16 97.96 81.13C97.96 81.13 99 86.42 99 92.85L1 92.84Z'/%3E%3C/g%3E%3C/svg%3E",

    "Roles": [

        "Admin",

        "SuperUser"

    ],

    "Permissions": []

}

Both run exactly the same source code and points to same database.

Did you check your App code base for these roles??

These aren’t roles that exist in the fx suggesting it’s an issue with your environment, e.g. you’re not running the version you think you are.

Either way we’ll need a repro to assist any further.

Manage to reproduce the issue. Here is the git repo.

Download the repo and run it. Go to https://localhost:5001/login and login as andy.fensham@scadsoftware.com. Password is in the repo. It will bring back that I am in Admin and SysAdmin Role.

Then downgrade to earlier version 6.3.0 or 6.2.1. Again login as andy.fensham@scadsoftware.com. It will show you are in Admin Role only. Also , on the 6.3.1 package, browsing to users show empty users in 6.3.1.

The roles behavior is working as expected, returning all App Roles for the Admin user is a change in this next release as our Blazor auth components require it for the Admin user to have access to protected components.

I’ll checkout the Admin Users issue.

Admin UI issue was due to changing JSON camelCasing default which should be resolved from latest v6.3.1+ that’s now available on MyGet

Thanks Mythz. Just a question. We work in the banking industry, where segregation of duties is very important. So in my case someone can be an Admin (which can create users for e.g.), but that does not have any access to other functions etc. With an Admin also getting all the other roles as well, that would make it impossible to handle segregation of duties. Do you maybe have a solution for that.

Choose a different role. Do not use the built-in super user Admin role for any restricted App role, it always has access to everything.