Role claim type not set to 'roles'

[cornem]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.5.0

Web app

Sign-in users

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

I have added authentication to an ASP.NET Core Blazor application (net9.0) like this:

builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, configSectionName: "Azure:Entra");

In my Razor components I can authenticate users adding the [Authorize] attribute.
However, User.IsInRole does not work, as it apparantly looks for claims with the type http://schemas.microsoft.com/ws/2008/06/identity/claims/role.

Roles in the principal are actually in the roles claim.

• Shouldn't this be set to the correct value by default?
• Is there a way to override this?

Reproduction steps

1. Create a new Blazor app
2. Configure authentication with builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration) in Program.cs
3. Add [Authorize] to a component, and verify only authenticated users have access.
4. Add a role to the attribute [Authorize(Roles = "Whatever")] and make sure the user has this role assigned in Microsoft Entra.
5. Observe the user is now denied access, even though the role is included in the roles claim.

Error message

No response

Id Web logs

No response

Relevant code snippets

See above.

Regression

No response

Expected behavior

The role claim type should be set correctly by default.

[jmprieur]

Please read this: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles

We could change the roles claims, but that's a breaking change. We can take this for IdWeb 4.