ASP.NET Web Api with Role based authorization

Question

I am using Web API 2 with OWIN token based authentication. Only thing that is not working is authorization based on roles.

In my implementation of AuthorizationServerProvider.GrantResourceOwnerCredentials this is how i assign roles:

identity.AddClaim(client.ApplicationType == ApplicationTypes.WebClient
            ? new Claim(ClaimTypes.Role, "user")
            : new Claim(ClaimTypes.Role, "admin"));

But in the Controller using [Authenticate(Roles="user")] just returns a Authorization denied message to the client. I checked the variables and this is whats inside

So the role seems to be there, but user.Claims is empty and IsInRole("user") also returns negative.

I found several questions here on stackoverflow and logic-wise i don't see what i missed. Only thing that comes to my mind is overwriting the Authorize Command but this is kind of needless as role based authorization seems to be integrated already...

EDIT: This is what my workig method looks like:

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin") ?? "*";
        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });

    Client client;
    using (var repo = new AuthRepository())
    {
        client = repo.FindClient(context.ClientId);
        if (client.ApplicationType != ApplicationTypes.Service)
        {
            var user = await repo.FindUser(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect." + context.UserName);
                return;
            }
        }
}

Answer 1

Don't add the role claim directly, use the UserManager instead:

UserManagerInstance.AddToRole(userId, "admin");

That way the role will be persisted (to the AspNetUserRoles or whatever you have configured) so it will be there for the later requests. This doesn't happen if you add the claim directly, since you're adding it to an "instance" of your user identity that will die with the current request.

TO ANSWER YOUR FURTHER REQUIREMENTS:

If you want the claims codified on the ticket then you have to do this after adding the claims the way you're doing (in GrantResourceOwnerCredentials):

var props = new AuthenticationProperties(new Dictionary<string, string>
        {
            { "userId", "blah,blah" },
            { "role", "admin" }
        });

var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);

This way you don't have to "persist" these kind of users

Of course you would have to override the TokenEndpoint method of the OAuthAuthorizationServerProvider in order to retrive those data on later request/responses.

    public override Task TokenEndpoint(OAuthTokenEndpointContext context)
    {
        foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
        {
            context.AdditionalResponseParameters.Add(property.Key, property.Value);
        }

        return Task.FromResult<object>(null);
    }

Answer 2

Probably solved it somehow, but for me it works if I put it like this:

[Authorize(Roles = "user")]
[Route("")]
[HttpGet]
public async Task<IHttpActionResult> GetUserSpecificServers() { ... }