I'm testing identityserver4 with angular and I got a question about cone works ... Let's see ... I have an api mvc core application in the controller, for example authorize role = admin ok ... If you did not include the roles in the token, the api does not authorize ... well, of course ... then my token should always have all the roles as claims and so it works well ... but I do not want my token to have the roles since then the token grows a lot ... I would like it to work like this:
Angular gets token with minimal data without roles.
Call api with the small token.
Api communicates with identityserver and obtains necessary roles for that application.
Api in the authorize should check if this is allowed.
This way I do not have roles in the jwt and the client is never all the claims .. as things are now my token has 100 claims and if I decode it the roles are seen and I do not like that ... No I want them inside the token ...
My focus is fine or I'm not understanding how this should work ...