How to add Policy and Role in JwtSecurityTokenHandler in asp.net CORE

Solution 1:

I think you are confusing two different concepts. The Authorize attribute will not directly check the claims on your token. You must use policies for that.

The [Authorize(Policy = <policyname>)] attribute will search for a registered policy that in turn can be configured to check the claims you specify for any given value.

In your case you need to configure your pipeline to use Authorization and register a policy, e.g. as follows:

services.AddAuthorization(options =>
{
    options.AddPolicy(
        "ViewClients",
        policy => policy.RequireClaim(ClaimTypes.Role, "ViewClients")
    );
});

The above creates a policy called ViewClients that checks for a Role claim that contains the value "ViewClients". So the corresponding claim is:

new Claim(ClaimTypes.Role, "ViewClients")

You can reconfigure that to suit whatever your needs are.

One remark:
I am not sure if your service is intended to be used in production, but a line that immediately caught my eye was:

userFromDb.PasswordHash == HashPassword(_employeeService.DEFAULT_PASSWORD)

You should reconsider giving every new user the same default password. Generally speaking it's safer to configure an expiring, random default password and set a boolean flag to the database to indicate a user needs to change his password upon next login.