ASP.NET Core 3.1 Azure App IsInRole/AuthorizeView work locally, but not when published

Question

I have an ASP.NET Blazor server app which I am trying to add Roles to. I have got the Roles added on the Azure portal, and when testing locally on localhost the Roles work fine and I can control who sees what parts of the app. However, when I publish the app to App Service and test it out, no user has any roles and therefore can't use any of the app.

On my Azure App, the identity provider is set a Microsoft.

I added the following output to the top of a page of the app in order to determine what is going on.

foreach (var claim in authenticationState.User.Claims) {
    <b>@claim.Type:@claim.Value</b><br/>
}

When testing locally, I see the following:

...
http://schemas.microsoft.com/ws/2008/06/identity/claims/role:qa
http://schemas.microsoft.com/ws/2008/06/identity/claims/role:patcher
...

When it is published, I see:

...
roles:qa
roles:patcher
...

So I'm assuming that my issue is that the AuthorizeView component and IsInRole method are failing because the claim type for the role is not what is expected. It would seem that it is expecting the full namespaced type, however when published we are being given just roles.

My ConfigureServices method is:

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi(new List<string> { "user.read" })
            .AddInMemoryTokenCaches();
        
services.AddControllersWithViews(options => {
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();

services.AddAuthorization(options => {
    options.FallbackPolicy = options.DefaultPolicy;
});
        
services.AddRazorPages();
services.AddServerSideBlazor().AddMicrosoftIdentityConsentHandler();

I have tried adding each of and both of the commented lines below as well, however neither either fix it when published, or broke it locally, which leads me to think that the Configure is not having an effect.

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => {
    //options.TokenValidationParameters.RoleClaimType = "roles";
    //options.ClaimActions.MapJsonKey(ClaimTypes.Role, "roles");
});

Anyone got any ideas why the claim types would be different when testing locally and when published, and how I can fix this so everything works in both environments?

Cheers

Answer 1

I am please to say I have now solved this. My problem was that I had Authentication setup on my App Services App. I didn't need this, as the authentication was being dealt with BY my App itself. So, after I had removed the authentication from the App (but left the App Registration and Enterise App bits untouched) it all works.