Hello,

So currently I am moving over to a Web API - and have been validating users with JWT by generating a "non db" Claim, that is passed around in the token, so I have created a Policy, that allows for people with a valid token to be authenticated. and it works great!

But my scenario complicates a bit, and I am not sure how I would do this - currently we have permissions, simple permissions like "Edit sales", I wanted to create Claims in the form of "Sales, Edit", "Sales, Create" etc., and assign it to roles (or users in some cases) and validate it through policies.

So here's the "complicated" part - Currently I am not sure how to handle the Authorization part - I can easily create the policies, but I am not sure how to retrieve the Claims - If I do it when they log-in, I will only be able to include the claims they have, on log in - what if they are updated after? (Would it be proper to issue a refresh token?) OR should I use JWT for validating, and then create a custom handler, that calls my userstore, and updates the IPrincipal, then validates? I am not sure if this is a hack or how well this would work. Currently I am thinking to write a custom handler, and update the IPrincipal (User) before calling AuthorizeAsync, but then I would not be able to use the AuthroizeFilters, which would be nifty.

I hope someone with more experience than I could give some tips on how to do it properly, I tried looking on the subreddit, but I couldn't really find the specific scenario - maybe I am just complicating things?