Application authentication
ASP.NET Core Identity C# JWT OAuth

How to Embed User Roles in a JWT Token Claim within a .NET Core Application

Welcome to today’s post.

In this post I will be showing how to embed user roles within JWT token claims within a custom identity provider API using .NET Core Identity.

In a previous post I showed how management of user roles are implemented within a custom Web API identity service.

When requesting a JWT authentication token from our authentication (token generation) API method within our identity service, the resulting token will contain role type claims.

As our token is encrypted, provided our secret is not known to the consumer of our service, the roles will not be known until the token is decoded by the application.

When our client application decodes this token, the roles can be read in and used for application side authorization.

In a previous post I discussed implementation of a token manager within our identity service API.

Today I will be amending our token manager to return user roles that can be useful within our client applications.

Below the GenerateToken() method for our token manager: 

public string GenerateToken(string username)
    byte[] key = Convert.FromBase64String(_appConfiguration.Secret);
       JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();

    SymmetricSecurityKey securityKey = new SymmetricSecurityKey(key);
    SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor
        Subject = new ClaimsIdentity(new[] {
                    new Claim(ClaimTypes.Name, username)}),
        Expires = DateTime.Now.AddMinutes(30),
           SigningCredentials = new SigningCredentials(new

    // build claims user roles
    var userRoles =    

    var claims = new List<Claim>();

    foreach (var userRole in userRoles.GetResult())
        claims.Add(new Claim(ClaimTypes.Role, userRole));

    JwtSecurityToken token = 
    return handler.WriteToken(token);

The method we use to return the user roles, GetUserRoles() is shown below:

public async Task<List<string>> GetUserRoles(string userName)
    var user = await userManager.FindByEmailAsync(userName);
    IList<string> roles = await userManager.GetRolesAsync(user);
    if (roles != null)
       return roles.ToList();
    return new List<string>();

Each claims identity consists of a collection of claims of type IEnumerable<System.Security.Claims.Claim>, which has the following properties:

IssuerThis is the name of the entity that issued the claim.
SubjectThis is the subject of the claim, normally the user that requested access to the resource.
TypeThis is semantic information about the claim, such as Email, PostalCode, Surname etc.
ValueThis is the value of the claim in string format.

Each claim is then constructed using the claim type of Role and value, which is the role. The claims are then added to a list of claims.

We then add the list of claims to the Subject property of our SecurityTokenDesciptor and use the ClaimsIdentity method:


The roles are stored and retrieved from the table AspNetUserRoles from the ASP.NET Identity UserManager method :


When retrieving the token in a client application, ensure that the same secret key is used as our API service.

In a future post I will show how to retrieve the roles from a JWT token from our client application or API service method.

That’s all for today’s post.

I hope this post has been useful and informative.

Social media & sharing icons powered by UltimatelySocial