I am using attribute [Authorize] to access endpoint.
For example
[Authorize(Roles = "Admin, CustomerManager, CustomerUser, ClientManager, ClientUser")]
When the user's role is downgraded, if he uses the previous access token, he can log in under the role that has already been deleted. I can solve it like this:
if (!await _userManager.IsInRoleAsync(currentUser, Roles.Admin))
{
return Forbid();
}
But is it possible to solve this with attribute [Authorize]?
I found the answer 8 years ago, but maybe something has already changed?
If you are using MVC, you need to log out the user whose role has been changed. If you use the API with JWT you need to make a new token.