ASP.NET Identity check user roles is not working

Question

I have an ASP.NET MVC 5 application. I'm using the standard ASP.NET Identity provider for user and role management. It is important that I'm using the IdentityUser from an own repository project, but this seems ok. I can register, login, edit users, and manage their roles.

I add user to Role with these lines:

UserManager.AddToRole(userdetail.Id, r);
db.Entry(userdetail).State = EntityState.Modified;
db.SaveChanges();

This seems working in DB level.

But, I can't use Role based authentications, actually the simples

HttpContext.User.IsInRole("Administrator")

doesn't working too.

[Authorize(Roles="Administrator")]

doesn't working too.

I can check only with this method, whether user is an administrator:

UserManager.IsInRole(userID, "Administrator").

Why?

In every tutorial what I found, everything works fine. The different project repository could be the reason? Or ASP.NET Identity is broken so much?

Please advice,

I have the same problem. Any solution? – janhartmann Jan 08 '14 at 16:54 — janhartmann, Jan 08 '14 at 16:54
The answer has been posted. Accept it. The one by jd4u. – DtechNet Feb 27 '17 at 21:48 — DtechNet, Feb 27 '17 at 21:48

score 25 · Answer 1 · edited Jul 11 '16 at 08:59

25

In that case you need to logout and login the user again.

Because the roles data is also stored in cookies, So you must issue the cookie again to work it.

edited Jul 11 '16 at 08:59

karlingen

12,770
5
40
68

answered Apr 09 '14 at 14:30

Maulik Anand

1,379
3
14
19

2

You can also achieve same thing without having to log user in and out again by updating the security stamp. See http://stackoverflow.com/a/19505060/110871 – Funka Jun 13 '14 at 22:19

score 23 · Accepted Answer · edited May 15 '19 at 15:01

23

There seems to be an issue. [The issue by design]

The role names are case sensitive in AuthorizeAttribute and User.IsInRole
The role names are case insensitive in UserManager.IsInRole

Moreover, check for the correct role name is used for the verification.

[The above is based on the test performed with below code. Role Name="Admin", User is added to Role "Admin".]

[Authorize(Roles="Admin")] /*True as "Admin" has A capital as entered in Role name*/
public ActionResult Secured()
{
    if (User.IsInRole("admin")) /*This is False*/
    {
         Console.WriteLine("In");
    }
    if(UserManager.IsInRole(User.Identity.GetUserId(), "admin")) /*This is True!!*/
    {
         Console.WriteLine("In");
    }
    return View();
}

If we change the attribute to [Authorize(Roles="admin")], it redirects to Login page.

edited May 15 '19 at 15:01

Jimmy

606
8
20

answered Nov 22 '13 at 06:37

jd4u

5,669
2
26
28

Do you happen to know how to bypass this cause i have the exact same issue. I use custom user and rolestore but im guessing should be noted but it works fine using the manager and not through User and annotation. – Base Jun 20 '16 at 22:57
This saved my life I don't know why this answer wasn't accepted. Nothing else mentions this. Go look up "Identity userinrole" on Google and you'll see the inaccurate "User.IsInRole" – DtechNet Feb 27 '17 at 21:47
Case sensitivity in this is just criminal, it must be a bug. I found this in my own code and only found this answer after wasting a nice chunk of time. Upticking your answer! – Steve Hibbert Jul 21 '17 at 16:13
I don't know why this answer IS accepted. I am using an Authorize attribute on a controller, casing is exactly the same as my role, spelling is exactly the same as my role, I am definitely assigned to the role (I've checked via RoleManager calls and looked at the db itself) and it's still not letting me in. This is in a .Net Core API project. – ataraxia Jan 27 '20 at 10:40
@ataraxia in this case, the original question specifically stated that the Authorize attribute and User.IsInRole did not work, but UserManager.IsInRole did. The known reason why these return different is case-sensitivity, i.e. this answer. In your case, it may be a different problem. Try and reproduce the original, i.e. check is UserManager.IsInRole works. If UserManager (case insensitive) does not work either, then you have a different problem that the original poster (e.g. cached data in cookie). – Sly Gryphon May 08 '20 at 01:58

score 0 · Answer 3 · answered Nov 21 '13 at 22:04

0

Do you have this entry in your web.config?

    <roleManager enabled="true">
        <providers>
            <clear />
            <add connectionStringName="ApplicationServices" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" applicationName="/" />
        </providers>
    </roleManager>

Also, if I remember correctly, there is a different namespace for the role provider assembly in different versions of .NET.

answered Nov 21 '13 at 22:04

Fred Chateau

839
1
6
16

9

Are you talking about the latest ASP.NET MVC 5 with ASP.NET Identity? – martonx Nov 22 '13 at 05:48
roleManager is for role provider (https://msdn.microsoft.com/en-us/library/system.web.security.roleprovider(v=vs.110).aspx) it's basically deprecated and is not ASP.NET Identity as requested – JDPeckham May 26 '18 at 02:13

score 0 · Answer 4 · answered Sep 09 '21 at 05:11

0

I was using IsInRoleAsync in Asp.Net core and in my case the problem was that I have ignored the role's normalized name when I created it. Therefore, after updating the normalized name for the role everything worked properly.

answered Sep 09 '21 at 05:11

Amir Zare

73
1
8

ASP.NET Identity check user roles is not working

4 Answers4

Linked