Implicit grant with ASP.net core 2 web API and SPA

Question

I have an Angular SPA front end which is back up by an ASP.net core 2 web API which sits in a different Azure Web App. This web API is locked down by Azure AD and the AD tenant is same for both Angular and back end API. I want all users in the Azure AD tenant to be able to access the front end and back-end API. However, few users need to have specific permissions to be certain things (Create/update).

I can create an app registration in Azure AD and use the same app registration for both SPA and back-end API. And then use ADAL.js in SPA to get access token and id token and pass this to back-end web API. What I am not sure is, will the user's role be flown in the claims to the web API? I am planning to add users to specific application roles.

Answer 1

Roles will be in the id token if the user has roles on the app they are signing into. With SPAs registered as Native apps, you basically can't have roles since the user is in full control of the front-end anyway. Roles will be in the access token if the user has roles on that API.

Two options that you have:

1. Use the same app registration like you said. Assign the user roles on that app, and they will be in the Id token. Then you use the Id token to call the API, and it can see the roles as well.
2. Assign the user roles on the API, and inspect their roles by decoding the access token in the front-end.