Reputation: 148
Azure Active Directory user roles and authorization
I have application hosted on Azure, Angular 4 on front and .net core 2.0 on back-end. What I want to achieve is: To add Roles to my users who are added to my Azure Active Directory. Authentication is implemented and works well. I use ADAL and I send my bearer token with every request.
These are my app roles defined in the manifest on azure portal:
"appRoles": [ { "allowedMemberTypes": [ "User" ], "displayName": "Reviewer", "id": "0238c2bb-9857-4d07-b760-a47ec621d57a", "isEnabled": true, "description": "Reviewer only have the ability to view tasks and their statuses.", "value": "Reviewer" }, { "allowedMemberTypes": [ "User" ], "displayName": "Approver", "id": "000018cb-19e3-4f89-bf99-5d7acf30773b", "isEnabled": true, "description": "Approvers have the ability to change the status of tasks.", "value": "Approver" }]
Approver role is assigned to the desired user.
I send request to the back-end (.net core 2.0 web api) where I have [Authorize] attribute and I check the user claims User.Claims.ToList() then I recieve that the user is approver:
[15]{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}
And that's great!
Now I add policy in startup.cs
services.AddAuthorization(options => { options.AddPolicy("ElevatedRights", policy => policy.RequireRole("Approver")); });Then this is the step where the problem happens. I add the following code in the controller (see step 3). I change the [Authorize] method with
[Authorize(Policy = "ElevatedRights")]but I got rejected then. I even tried with[Authorize(Roles = "Approver")]
What do I miss or do wrong?
P.S. Feel free to suggest better title for the question.
Upvotes: 1
Views: 1116
Answers (1)
Reputation: 58733
Seems like it does not know which claim to map the roles to.
You might be able to instead use RequireClaim(ClaimTypes.Role, "Approver").
Another possible way (which should work) is to specify the RoleClaimsType on your AddJwtBearer call. Something like:
AddJwtBearer(o => o.TokenValidationParameters = new TokenValidationParameters { RoleClaimType = ClaimTypes.Role })`.
Instead of ClaimTypes.Role, you can also try "roles".
Upvotes: 1
Related Questions
- ASP.NET Core 3.1 + Angular 9 role based authentication
- Asp.net core mvc role-based authorization with Azure AD
- AzureAD rolebased authorization
- Azure AD authentication and Custom Role base authorization in Angular 7 and .Net Core Web api
- Securing Angular & .Net Core API with Azure AD and Application Roles
- Azure AD Auth with Angular and .NETCore2 WEBAPI
- ASP Core Azure Active Directory Login use roles
- ASP.NET Core 2 - Angular 5 Azure Active Directory Authentication
- Authorizing users from Azure Active Directory
- Web API .Net Core Azure Active Directory Authentication