Reputation: 16413
Azure ADAL with Web API and Native app
I currently have a Xamarin Forms app correctly logging in and using Microsoft Azure AD for authentication before accessing a web api that is also configured in Azure.
Now I want to add role based authorization like I used to do using IdentityServer 4.0. So within my webapi I put this on my controller:
[Authorize(Roles = "SOMEDOMAIN\\ADGroup")]
So now I'm trying to follow documentation on the web but people aren't being descriptive enough. I have 1 question but let me first explain my setup.
For my Native Xamarin App
Under "Required Permissions
- I've already added Windows Azure Active Directory
- I've already added my web api
I edited the Manifest
- "groupMembershipClaims": "SecurityGroup",
For my Web Api
Under "Required Permissions
- I've already added Windows Azure Active Directory
I edited the Manifest
- "groupMembershipClaims": "SecurityGroup",
Question
1) Within each app above, do I need to enable Read Directory Data for the Windows Azure Active Directory permission? If not, which one needs it?
Upvotes: 1
Views: 303
Answers (1)
Reputation: 156
In the Application Manifest, the "groupMembershipClaims": "SecurityGroup" should add the groups claim to the JWT. Then you just need the ObjectId in Azure AD for the Security Group(s) you are trying to target, discussed in detail here. The group information is part of the id_token, Per the documentation here,
Provides object IDs that represent the subject's group memberships. These values are unique (see Object ID) and can be safely used for managing access, such as enforcing authorization to access a resource. The groups included in the groups claim are configured on a per-application basis, through the "groupMembershipClaims" property of the application manifest. A value of null will exclude all groups, a value of "SecurityGroup" will include only Active Directory Security Group memberships, and a value of "All" will include both Security Groups and Office 365 Distribution Lists.
Also, read there is a very thorough Wiki on the Github repo for the ADAL library here.
Also, here some good resources on that groups claim and the last one is sample solution:
https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-groupclaims/
Upvotes: 0
Related Questions
- How to integrate azure ad into a react web app that consumes a REST API in azure too
- Azure Active Directory Authentication Process with Xamarin.iOS
- Authenticate Azure AD v1 WebAPI from Azure AD v2 mobile app
- Authenticating Web Api using Azure B2C and MSAL in Xamarin Mobile App
- Authenticating Xamarin Forms app with Azure Active Directory for accessing a protected Azure AAD Web API app
- Web Application Authentication for Azure AD using Android ADAL
- Azure AD login in app + remote webservice/api outside of azure
- Native App and Azure AD - Hello World
- Single-Sign-On between web app and native app using ADAL
- ADALjs and Azure AD auth for Wep API project