CODEWITHSUNDEEP
asp.net-coreazure-active-directory
petercli
petercli

Reputation: 693

how to get the group membership?

I am trying to get the Roles of a logged in user , using using openID connect with "https://login.microsoftonline.com/"

I can hit breakpoints on OnTokenValidated , and OnTicketReceived . in my controller decorated with [Authorize], User.Identity.IsAuthenticated is true ,but User.IsInRole("admin") is false <-- this is a group in my tenant, and my account is a member. Any suggestions on getting role Info? Do i need to implement OnUserInformationReceived ? Any examples?

I am following the wiki : Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app

Thanks,Peter

Upvotes: 0

Views: 1318

Answers (1)

Nan Yu
Nan Yu

Reputation: 27538

Group membership is not included in ID token by default , you can follow below steps to configure your application to receive group claims :

  1. In your application page, click on Manifest to open the inline manifest editor.
  2. Edit the manifest by locating the groupMembershipClaims setting, and setting its value to All (or to SecurityGroup if you are not interested in Distribution Lists).

  3. Save the manifest.

    {
  ...
  "createdDateTime": "",
  "groupMembershipClaims": "All",
  "identifierUris": [],
  ...
}
  4. To receive the groups claim with the object id of the security groups, make sure that the user accounts you plan to sign-in in is assigned to a few security groups in this AAD tenant.

You could use policy in asp.net core , use an attribute with a named policy then you define the policy in startup to require group claim and set allowed Group ID . See code sample here .

In addition, User.IsInRole("admin") will check whether http://schemas.microsoft.com/ws/2008/06/identity/claims/role: admin exists in user claims . You can also set the RoleClaimType to use group information and then use Roles .

Upvotes: 2

Related Questions