User.IsInRole() returns false and Authorize Roles gives me an Access Denied


I'm trying to set up the authentication in my existing App with ASP.NET Core Identity 2.0. As I use my own database schema and classes, I have my own User and Role classes and I had to create custom UserStore/UserManager/RoleStore/RoleManager.

I declare them in my services :

services.AddIdentity<User, Profile().AddUserManager<CustomUserManager<User>>().AddRoleManager<CustomRoleManager>().AddDefaultTokenProviders();
services.AddTransient<IUserStore<User>, UserStore>();
services.AddTransient<IRoleStore<Profile>, ProfileStore>();

I implement the interface UserRoleStore in the UserStore with these methods :

    public Task AddToRoleAsync(User user, string roleName, CancellationToken cancellationToken)
        user.Profiles.Add(db.Profiles.ToList().Find(x => x.Name.Equals(roleName, StringComparison.OrdinalIgnoreCase)));


        return Task.FromResult((object)null);

    public Task RemoveFromRoleAsync(User user, string roleName, CancellationToken cancellationToken)
        user.Profiles.Remove(db.Profiles.ToList().Find(x => x.Name.Equals(roleName, StringComparison.OrdinalIgnoreCase)));


        return Task.FromResult((object)null);

    public Task<IList<string>> GetRolesAsync(User user, CancellationToken cancellationToken)
        IList<string> ret = new List<string>();
        user.Profiles.ToList().ForEach(x => ret.Add(x.Name));
        return Task.FromResult(ret);

    public Task<bool> IsInRoleAsync(Useruser, string roleName, CancellationToken cancellationToken)
        Profile searchRole = db.Profiles.Include(profile => profile.ProfileUsers).ToList().Find(x => x.Active && x.Name.Equals(roleName, StringComparison.OrdinalIgnoreCase));
        return Task.FromResult(searchRole.ProfileUsers.ToList().Find(x => x.UserID == user.ID) == null ? false : true);

    public Task<bool> IsInRole(User user, string roleName, CancellationToken cancellationToken)
        return Task.FromResult(true);

    public Task<IList<Utilisateur>> GetUsersInRoleAsync(string roleName, CancellationToken cancellationToken)
        Profile currentProfile = db.Profiles.Include(profile => profile.ProfileUsers).ThenInclude(pu => pu.User).ToList().Find(x => x.Active && x.Name.Equals(roleName, StringComparison.OrdinalIgnoreCase));
        if (currentProfile == null)
            return Task.FromResult((IList<User>)null);

        IList<User> ret = new List<User>();
        currentProfile.ProfileUsers.ToList().ForEach(x => ret.Add(x.User));
        return Task.FromResult(ret);

So when I try to do

var result1 = _userManager.AddToRoleAsync(userObject, "WorkOrderViewer");
var res = _userManager.GetUsersInRoleAsync("WorkOrderViewer");
var test = await _userManager.IsInRoleAsync(userObject, "WorkOrderViewer");

It works and my user gets the choosen Role. However, when I try to set up the controller authorizations or the controls visibility in the view it doesn't work. For the controller authorization I have an access denied for exemple.

When I put this in my code :

var test = User.IsInRole("WorkOrderViewer");

It returns "false" even if I am log in the app (I try to log out and log in) and if the UserManager.IsInRoleAsync returns me "true".

I think it fails because UserManager.AddToRoleAsync() is not synchronized with User.IsInRole() but I don't know how to resolve it. Have you an idea of what I am doing wrong ?


When you say you use the code User.IsInRole I assume you mean in a Controller.

User in a controller is of type ClaimsPrincipal.

And the method ClaimsPrincipal.IsInRole has the following documentation:

The IsInRole method checks whether an identity that this claims principal possesses contains a claim of type ClaimsIdentity.RoleClaimType where the value of the claim is equal to the value specified by the role parameter.

This can be confirmed by looking at the source for ClaimsIdentity.cs.

if (_identities[i].HasClaim(_identities[i].RoleClaimType, role))

So User.IsInRoleis checking to see if the User has a Claim of type RoleClaimType (which defaults to "").

The claim type can be configured as needed.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at


Login to comment


Authorize(Roles = "Admin") always return ACCESS DENIED

User.IsInRole always returns false with Token Authentication

MVC 4: User.IsInRole() returns false after logout

User.IsInRole() always returns false only in controller

Multiple roles in 'User.IsInRole'

Why the prompt gives me "Access denied"?

Multiple User Roles in Authorize

User.IsInRole return false

ASP.NET Core Identity 2: User.IsInRole always returns false

Proper way to assess Role in Authorization as User.IsInRole() always returns false

User.IsInRole always returns false in View or code using Policy based Authorization

Changing FSMO Roles: Access Denied

Laravel: Access denied for user 'newuser'@'localhost' (using password: YES) (SQL: select * from `roles`)

How to use <sec:authorize access="hasRole('ROLES)"> for checking multiple Roles?

(root) FAILED to authorize user with PAM (Permission denied)

Access denied for user MySql

Access Denied for Admin User

Authorize a user for azure blob access

mysqlfailover command gives Error 1045: Access denied for user 'root'@'localhost' (using password: NO)

Using User.IsInRole returns random result when UserRole changes

Connecting to external Mysql database from AWS lambda (back end of Alexa skill) returns "Access denied for user" message

"net user administrator /active:Yes" returns "System error 5 has occurred. Access is denied."

ASP.NET MVC Authorize user with many roles

Loadkeys gives permission denied for normal user

Anglular gives access denied to mymodal.html

Nuget add packages gives access denied errors

Debug in Visual Studio 2017 gives access denied

accessing path through cloudfront gives access denied

mvcSiteMap Bootstrap showing links based on user roles without using User.IsInRole