CODEWITHSUNDEEP
.net-coreazure-active-directoryasp.net-identity
Aaron Rumford
Aaron Rumford

Reputation: 586

Custom Role with .NET Core 3 Azure AD Authentication

I have a minimally functioning .NET Core 3 Web app using Azure AD for Authentication but I am trying to figure out how to use my own custom roles in my own SQL database for authorization.

Ultimately, I want to verify the user, then get their associated Role from my DB and create policies from there. I'm not afraid to research, but my searches are not pulling up anything that looks right. Can anyone point me in the right direction?

Upvotes: 3

Views: 1920

Answers (1)

Rohit Saigal
Rohit Saigal

Reputation: 9664

AFAIK the closest Azure AD feature helpful for your requirement would be Application Roles.

You can read more details about it on Microsoft Docs here - Application Roles

Here is a related code sample - Add authorization using app roles & roles claims to an ASP.NET Core web app

To put it briefly, you will be able to define roles specific to your application's Azure AD manifest. Later you can assign these roles to users from Azure Portal or use Microsoft Graph API.

"appRoles": [
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Creators can create Surveys",
    "displayName": "SurveyCreator",
    "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
    "isEnabled": true,
    "value": "SurveyCreator"
  },
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Administrators can manage the Surveys in their tenant",
    "displayName": "SurveyAdmin",
    "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
    "isEnabled": true,
    "value": "SurveyAdmin"
  }
],

Note that role definitions themselves and information about which users have been assigned what role will all be in Azure AD (not your SQL database as you've mentioned in your question).

Now at the time of signing into your web app, you will get roles as a collection of claims with the incoming access token.

Here is another good documentation that explains both Role based and Resource based authorization with a sample and uses authorization policies.

In case none of this makes sense for your application, you could always implement something custom and store role information as well as assignments in your application database.

Azure AD will not help much with defining or assigning roles in that scenario. You will need to maintain a map between users and their roles in a custom way. If it makes sense you could use RoleManager class.

Upvotes: 5

Related Questions