loadUserProfile will return roles of last user if current user has no roles assigned

[StephanKuehn]

This seems to be related to issue #514.

I am using your library against Identity Server 4 using resource owner password grant flow.
Identity Server is running against ASP.Net Core Identity.

I have two roles, user and administrator.

User A is assigned to roles user and administrator.
User B is assigned to roles user.
User C is assigned to no role at all.

If User A logs on, I can see the user info response in fiddler containing both roles >>"role":["user","administrator"]<<. I see the same in userInfo object returned by loadUserProfile().

Subsequently, User C logs on. The user info response in fiddler contains no role at all. However, the userInfo object returned by loadUserProfile() still contains both roles.

[StephanKuehn]

Pardon me, but it seems that this is a bug that originates in the following two lines in loadUserProfile():

const existingClaims = this.getIdentityClaims() || {};
...
info = Object.assign({}, existingClaims, info);

if info is missing a claim that is present in existingClaims, i.e. stored in oAuthStorage.getItem(''),
the result will contain a claim no longer present on the current user.

[StephanKuehn]

The workaround seems to be to call sessionStorage.removeItem('id_token_claims_obj') or whatever storage is configured for the library before calling loadUserProfile().

[manfredsteyer]

Thanks for this info. id_token_claims_obj should be overwritten with the user C's claims when they login. Is there an id_token for user C?

[StephanKuehn]

I am using resource owner password grant flow. There is no id token for the any of users A, B or C.

[manfredsteyer]

I think this was already resolved with version 8, right?