Thom van den Akker

Instead of defining the building limit requirement on a per research basis, woudn't it be more beneficial to have a proper limiter defined in the AbstractBuilding itself, that way the...

> The way it is now is more flexible. There may be research in the future that requires a level 3 house, not house(s) totalling 3 levels. If this would...

If I remove the `[Authorize]` attribute entirely (the one I mentioned) it still does not work. My base controller does have `[Authorize(AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)]` could that have anything to do...

``` at NextLevel.API.Extensions.AuthorizationExtensions.c.b__0_6(ProcessChallengeContext context) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler.HandleChallengeAsync(AuthenticationProperties properties) at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler.HandleChallengeAsync(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ForbidAsync(AuthenticationProperties properties) at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ForbidAsync(AuthenticationProperties...

 My tokens do get attached to the requests yes

I don't have any other logging but everything from OpenIddict, do you know of any way I can debug the authorization policy so I can check if all the requirements...

The claims transformer returns the original principal passed to it, only modifying the scopes. The identity says that the RoleClaimType is `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`, does it have to be this exact string?

```cs public class ScopeClaimResolver : IClaimsTransformation { public Task TransformAsync(ClaimsPrincipal principal) { var scopes = new HashSet(); foreach (var scope in principal.GetScopes().ToHashSet()) { scopes.Add(scope); ExtractScopes(scopes, scope); } principal.SetScopes(scopes); return Task.FromResult(principal);...

Also here's what the Identity looks like in total:  (It's what I get from `assertion.User` in the policy)

Oddly enough, the AuthenticationType says `Server`, I'd expect `Validation` since this is the resource server, is that correct?