When I try to remove an Asp.Net (core) 8.0 identity claim (for a different user than is currently signed in), the claim seems to be removed, but then it reverts back to the original value.

The setClaim method at bottom is called from a .cshtml page. It only calls setClaim once, then at the bottom I call getClaim to try to debug what is going on.

When I put breakpoints at the //****** lines below, the debugger shows that, in the function, the “IsAdmin” claim is removed. However, when I call the getClaim method at the bottom of the .cshtml page, the “IsAdmin” claim has returned, with the prior value of “false”.

public async Task setClaim(string type, string? value)
{
    ClaimsPrincipal userCP;

    Task<ClaimsPrincipal> claimsTask = identityManager.signInManager.CreateUserPrincipalAsync(this);
    userCP = await claimsTask;

    var identity = userCP.Identity as ClaimsIdentity;
    if (null != identity)
    {
        // remove claim if it exists
        Claim? existingClaim = identity.FindFirst(type);

        if (null != existingClaim)
        {
            if (!identity.TryRemoveClaim(existingClaim))  //***** Break 1
            {
                // Never get here, TryRemoveClaim always returns true
                int x = 1;
            }
            // RemoveClaimAsyng throws exception [other threads already running]: await identityManager.userManager.RemoveClaimAsync(this, existingClaim);
            //  This didn't work either: identity.RemoveClaim(existingClaim);
        } //****** Break 2

        // RefereshSignInAsync didn't work, though it does change the current sign in
        //   to the calling object.
        //await identityManager.signInManager.RefreshSignInAsync(this);

        // add new claim-- setting a value of null deletes the claim (since we don't add anything if null)
        //  if (null != value)
        //  identity.AddClaim(new Claim(type, value));

    }
}

As noted above, I’ve tried RemoveClaim, TryRemoveClaim, and RemoveClaimAsync.

public async Task<Claim> getClaim(string type)
{
    ClaimsPrincipal userCP;

    Task<ClaimsPrincipal> claimsTask = identityManager.signInManager.CreateUserPrincipalAsync(this);

    userCP = await claimsTask;

    if (null != userCP.Identity)
    {

        Claim? existingClaim = ((ClaimsIdentity)userCP.Identity).FindFirst(type);
    )

        return existingClaim; // ********* Breakpoint
    }
    else
    {
        return null;
    }
    return null;
}

I was expecting that, at the call to the getClaim method, the “IsAdmin” claim would still be gone, but it returned with its original value.

I tried RefreshSignInAsync(this) since that seems to have solved similar issues for others, but it didn’t work for me (though it did sign me in as that user). Per https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-7.0#add-and-update-user-claims

Claims are copied from external providers to the user database on first registration, not on sign in. If additional claims are enabled in an app after a user registers to use the app, call SignInManager.RefreshSignInAsync on a user to force the generation of a new authentication cookie.

In the Development environment working with test user accounts, delete and recreate the user account. For production systems, new claims added to the app can be backfilled into user accounts.

This isn’t an external provider and .RefreshSignInAsync isn’t working, but maybe I need to follow the “backfill” step?

I’ve googled all over and am not seeing what I’m doing wrong, which makes me think it is something basic regarding changing claims for users who are not signed in (maybe I should be doing this at a different part of the code)? I looked at the Docs at https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity?view=aspnetcore-8.0 but didn’t find any indication what the problem would be.