In principle, there is no significant difference between Role and Claim. I all connected to the claims-based authorization, conducted a lot of research and several test projects. And in the end, you decide which one to use.
As you said, roles are added as a claim type. Therefore, in terms of delivery, this does not matter. But MVC / WebApi already has a built-in infrastructure for handling roles and deny that the user does not have the required role. This way you donβt have to do much on your own.
But you will have to come up with a bunch of attributes on the controllers / actions and make sure that they all exist in the database, so you can assign them to users.
However, I found that you may have too many roles and they become too complex to maintain. In addition, you cannot have too many roles assigned to your user - their cookie authentication will become massive and ultimately will not be able to log in due to browser cookie size limitations (4K per cookie, 16K for all HTTP -headings).
With claims, you can be more flexible. You can have many different types of claims (we have a bit less than one per controller) and several requirements values ββ(Read, Create, Edit, Delete). When using an application with a descent size (we have above 100) you will have to have many roles (4 per controller) to simulate this level of permission control. With claims, we have enum for claim types (Person, Product, Order) and enum for requirement values ββ(Create, Read, Edit, Delete). And in the cookie, you can set integers as the type of request and requirement value - this saves a lot of space on authentication cookies.
But with claims, you have to code the authentication mechanisms yourself.
I played with this concept here and it is an authentication filter for MVC, but the WebApi filter will be very similar. Now the results of this prototype are in production and work very well.
In general, the answer to your question is "it depends." Basically, how important is authentication and how big is this application.