Skip to content

Commit e3be8f6

Browse files
committed
🔥 Remove redundant RoleClaimType from JwtBearer token validation
RoleClaimType only influences IsInRole() and [Authorize(Roles = ...)], neither of which this platform uses. Authorization reads FindAll(ClaimTypes.Role), and those claims are produced solely by RolesClaimsTransformation, which extracts roles from the configured RolesClaim path (including nested paths such as realm_access.roles) and normalizes them to ClaimTypes.Role. RoleClaimType does not rename or emit claims, so setting it changed nothing. Drop it and document why it stays unset.
1 parent 7136310 commit e3be8f6

1 file changed

Lines changed: 5 additions & 2 deletions

File tree

‎src/ServiceControl.Hosting/Auth/HostApplicationBuilderExtensions.cs‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,12 +43,15 @@ public static void AddServiceControlAuthentication(this IHostApplicationBuilder
4343
ValidateLifetime = oidcSettings.ValidateLifetime,
4444
ValidateIssuerSigningKey = oidcSettings.ValidateIssuerSigningKey,
4545
ValidAudience = oidcSettings.Audience,
46-
ClockSkew = TimeSpan.FromMinutes(5), // Allow 5 minutes clock skew
47-
RoleClaimType = oidcSettings.RolesClaim
46+
ClockSkew = TimeSpan.FromMinutes(5) // Allow 5 minutes clock skew
4847
};
4948
options.RequireHttpsMetadata = oidcSettings.RequireHttpsMetadata;
5049
// Don't map inbound claims to legacy Microsoft claim types
5150
options.MapInboundClaims = false;
51+
// No RoleClaimType is set: it only influences IsInRole()/[Authorize(Roles = ...)],
52+
// which this platform does not use. Roles are read from RolesClaim (which may be a
53+
// nested path such as realm_access.roles) and normalized to ClaimTypes.Role by
54+
// RolesClaimsTransformation, which is what the authorization handlers actually read.
5255

5356
// Custom error response handling for better client experience
5457
options.Events = new JwtBearerEvents

0 commit comments

Comments
 (0)