Based on what you have here, I suspect your main issue is that the claim you set to be required isn't there. Try adjusting the following service registrations in your server Program.cs to:
builder.Services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddClaimsPrincipalFactory<CustomUserClaimsPrincipalFactory>();
builder.Services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
{
options.IdentityResources["openid"].UserClaims.Add("CanViewContract");
options.ApiResources.Single().UserClaims.Add("CanViewContract");
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("CanViewContract", policy => policy.RequireClaim("CanViewContract", "true"));
});
Then create a new class called CustomUserClaimsPrincipalFactory (which is referenced in the Program.cs above) that looks like this (namespace and using directives will need adjusted to fit your app)
using SomeBlazorApp.Server.Models;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
using System.Security.Claims;
namespace SomeBlazorApp.Server.Internal
{
internal class CustomUserClaimsPrincipalFactory : UserClaimsPrincipalFactory<ApplicationUser>
{
public CustomUserClaimsPrincipalFactory(
UserManager<ApplicationUser> userManager,
IOptions<IdentityOptions> optionsAccessor)
: base(userManager, optionsAccessor)
{
}
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(ApplicationUser user)
{
var identity = await base.GenerateClaimsAsync(user);
identity.AddClaim(new Claim("CanViewContract", "true"));
return identity;
}
}
}
And adjust the service registration in the Program.cs for your WASM Client project to the following (notice the change of ViewContract to CanViewContract)
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("CanViewContract", policy => policy.RequireClaim("CanViewContract", "true"));
});
Then see if this gets it running.