I am attempting to create a Blazor Server application that will secure pages based on two separate security roles, Admins and Users. All accounts will be assigned to one of these roles, but never both. Some pages will be accessible to only Admins, while others will be accessible to both roles.
I have noticed that when I assign both roles to a page's Access property, the page does not show up in the PanelMenu after login. The page can be accessed if you manually enter the page URL in the browser.
The @attribute [Authorize(Roles="")] directive appears to allow the page to be accessed if the logged in account is a member of one on the assigned roles while your SecurityService.IsInRole() implementation appears to require that the logged in account is a member of all of the assigned roles.