I have implemented JWT bearer token based authentication and authorization in .Net core 1.1. I also implemented Usermanager for login and register. I am matching user password with PasswordHash using below code.
var userDetails = await _userManager.FindByNameAsync(username);
var result = await _signInManager.CheckPasswordSignInAsync(userDetails, password, lockoutOnFailure: false);
I am getting issue in Role based Authorization. When i am generation JWT token with User(User type role), it's working fine and access only [Authorize(Roles = "User")] attribute methods or Actions. But when i am using [Authorize(Roles = "Administrator")] attribute it is accessing by both User and Admin Role Type. below the sample code:
[Authorize(Roles = "Administrator, User")]
public class AnswersController : Controller
{
private readonly IAnswerService answerServices = null;
public AnswersController(IAnswerService _answerServices)
{
answerServices = _answerServices;
}
[Authorize(Roles = "Administrator")]
// GET: api/Answers
[HttpGet]
public async Task<IActionResult> Get()
{
var result = await answerServices.GetAll();
if (result == null)
{
return NotFound();
}
return Ok(result);
}
[Authorize(Roles = "User")]
// GET: api/Answers/5
[HttpGet("{id}")]
public async Task<IActionResult> Get([FromRoute] int id)
{
var result = await answerServices.GetByID(id);
if (result == null)
{
return NotFound();
}
return Ok(result);
}
}
}