[Blazor WASM] AddAuthenticationStateSerialization with SerializeAllClaims does not add RoleClaims

[DjeeBay]

Describe the bug

Since .Net 9 we can serialize the "Authentication State" with this :
builder.Services.AddRazorComponents() .AddInteractiveWebAssemblyComponents() .AddAuthenticationStateSerialization( options => options.SerializeAllClaims = true);

But it looks like the RoleClaims are not added. They are correctly handled on server side but on client side there is no RoleClaims. Only UserRoles and UserClaims are serialized.

Expected Behavior

Client side the User should have all its claims (UserClaims and RoleClaims included).

[javiercn]

@DjeeBay thanks for contacting us.

@halter73 do you know what might be going on here?

[MackinnonBuck]

Thanks for reaching out, @DjeeBay.

Could you please clarify what you mean by "RoleClaims" vs "UserRoles"? Are you referring to the DbSets in the DbContext?

All SerializeAllClaims does is copy the ClaimsPrincipal from the server to the client. Is there any way in which the ClaimsPrincipal itself is different between the server and the client? If so, what's different?

[DjeeBay]

I'm sorry it was a bit confusing because with Blazor we are not able to get the claims stored in the RoleClaims table (looks like it's both Server and Client), but with a MVC project RoleClaims are there.

Here is what EF Core produces at login :

Blazor

MVC

You can see that on MVC EF Core queries AspNetRoleClaims and on Blazor it does not.

Am I missing something or is it expected ?

[halter73]

Without sample repro code demonstrating the difference between the MVC and Blazor login code in your application, it's hard to say for sure what's going on.

However, I'm guessing this might have to do with the fact that the Blazor project template with individual auth doesn't use roles by default. Where the template has the following:

builder.Services.AddIdentityCore<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)

You might need to update it to something like:

builder.Services.AddIdentity<ApplicationUser, ApplicationRole>(options => options.SignIn.RequireConfirmedAccount = true)

Or

builder.Services.AddIdentityCore<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
    .AddRoles<ApplicationRole>()

I assume you already have something like that in your MVC app. This should ensure that the UserClaimsPrincipalFactory<TUser, TRole> gets used instead of the plain UserClaimsPrincipalFactory<TUser> to generate the ClaimsIdentity that later gets serialized due to the SerializeAllClaims option. See UserClaimsPrincipalFactory.cs for reference.

If my guess is wrong, can you provide a minimal repro of a working MVC app and broken Blazor app?

[DjeeBay]

My bad, looks like the value of AspNetRoles.NormalizedName has to be (strictly) the capitalized value of the role name.
Otherwise RoleClaims won't be queried.

Since there is no screen to crud roles in default templates, we've put some data in the database manually and it didn't respect this convention.

I've not found any official documentation saying that this convention has to be respected otherwise it won't works.