CODEWITHSUNDEEP
asp.net-web-api2azure-active-directoryrbacadal.js
bkwdesign
bkwdesign

Reputation: 2117

My RBAC'd Web API is secure, but, the roles aren't working

I have a simple ADAL.js 'spa' app based on this sample. It is calling an API that is part of the same solution (so, I don't think this is a CORS issue, we're all in the same domain here.. same app)

I set up some custom roles in my AD tenant's app's manifest file. I associated those roles with some test user accounts. When I run my sample and login, it reflects back to me user token values that show that the correct role has been applied to whatever test user I decided to login with...

When I make calls to the API where we've just simply used the [Authorize] attribute, everything is fine.

For example, this decorated controller, works fine:

[Authorize]
public class ValuesController : ApiController
{
    // GET api/values
    public IEnumerable<string> Get(){...omitted....}
}

However, this gives me a 'denied' response (literally: Authorization has been denied for this request):

[Authorize(Roles = "AdminAccess")]
public class ValuesController : ApiController
{
    // GET api/values
    public IEnumerable<string> Get()(){...omitted....}
}

What am I doing wrong? Seems to fail when deployed to Azure, as well as locally

Here's my Startup.Auth.cs class:

    public partial class Startup
    {
      public void ConfigureAuth(IAppBuilder app) {

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                },
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],

            });
         }
       }
    }

Upvotes: 0

Views: 319

Answers (1)

juunas
juunas

Reputation: 58898

You need to define which claim contains the roles. Here is an example:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions()
    {
        Tenant = Tenant,
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidAudience = ValidAudience,
            RoleClaimType = "roles"
        }
    });

This causes the middleware to map values in the claim "roles" to roles for the principal it creates.

Upvotes: 2

Related Questions