CODEWITHSUNDEEP
asp.netazureasp.net-core-mvcazure-active-directoryasp.net-authorization
Ron16
Ron16

Reputation: 473

Authorizing users from Azure Active Directory

I have set up an ASP.NET MVC Core Project, and while creating the Project I selected the option for Azure AD authentication. I have added two users to the Default Azure AD. One in Directory Role "Global Administrator" and another in Directory role "User". [Refer to the pic below for example of the Global Administrator]

enter image description here]1

Now, the Authentication works fine. Both of These two uses can log in to the WebApp perfectly. What doesn't work is to use Authorization for separate permissions/views for separate users. In the Home Controller, I am trying to do something like :

if(User.IsInRole('Admin')
 return View("HomePageAdmin");
else
 return View("NormalHomePage");

However, it doesn't work. For both of the users, it Redirects to the same "NormalHomePage".

What am I missing ?

Upvotes: 2

Views: 766

Answers (3)

Ron16
Ron16

Reputation: 473

So, after a lot of looking and searching, the way to implement AuthN via AAD for ASP.NET Core 2.0 turned out to be rather simple.

  • I had to create a new Group in the AAD, give it a name ("ShopAdmin", in my case), and then simply add the users I wanted to give the Administrator rights.
  • Open the menifest file of the WebApp, update the "groupMembershipClaims" field from null to "SecurityGroup"
  • Open the Group again from the AAD and copy the OBJECT ID from there. This OBJECT ID we shall use in the C# code of the controllers.

--

enter image description here

  • So, now that we have created the required group (or, groups, as your need may be), updated the WebApp's manifest file from AAD, copied the OBJECTID of the Group, now it's time to simply use that OBJECTID in the Controller. In my case, that's simply done with :

  • public bool CheckIfAdmin() { if (User.Claims.FirstOrDefault(c => c.Type == "groups" && c.Value.Equals("42f51be8-28c4-995d-a69f-f6f42f96a5cd", StringComparison.CurrentCultureIgnoreCase)) != null) return true; else return false; }

  • So, here, basically the Claims collection of the User Property is being used to check if it contains the respective groups claim.

Upvotes: 2

juunas
juunas

Reputation: 58743

Azure AD roles are not the same as roles in your application. You should probably take a look at this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims

You will have to define the roles in your app in the app manifest first.

Then assign users to them. Once you do those two things, there will be claim called "roles" in the JWT you get, which contains the user's role(s).

Upvotes: 2

mbnx
mbnx

Reputation: 942

Hard to tell without further information. Does your JWT expose the right claims? Take a look at a working set up of claim authorization.

https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims/blob/master/WebApp-RoleClaims-DotNet/App_Start/Startup.Auth.cs

An issue that could also help: Azure Ad Returning Roles in Claims but User.IsInRole returns false

Upvotes: 0

Related Questions