Reputation: 693
AzureAD rolebased authorization
I have my app registered in AzureAdd AppRegistrations, and added AppRoles in the manifest for my app, the role of Admin. In the Azure Enterprise Application menu, I added a user, and assigned it the Admin role, which I could select.
In the Startup class of my application, I added the AddAuthorization part and defined a policy RequireRole("Admin").
I used the [Authorize(Roles = "Admin")] for my controller class, and in the navbar partial view I added ((await AuthorizationService.AuthorizeAsync(User, "Admin")).Succeeded) .
However, when I debug, I cannot find the {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin} entry, and User.IsInRole("Admin") returns false. The user credentials are correct, though.
As far as I can see, I have done all the steps. Only thing that I can come up with is that my azure subscription doesn't allow groups to be added, but I don't see how that could be connected to any of the things I set up. I use no groups, just individual users.
What am I missing here? Why don't I see the user roles?
Manifest:
{
"allowedMemberTypes": [
"User"
],
"description": "Admin's have access to everything.",
"displayName": "Admin",
"id": "d1c2ade8-98f8-45fd-ba4b-6d06b947c66f",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Admin"
},
"groupMembershipClaims": "SecurityGroup",
Startup.cs
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireRole("Admin"));
options.AddPolicy("Packager", policy => policy.RequireRole("Packager"));
});
View:
@if ((await AuthorizationService.AuthorizeAsync(User, "Admin")).Succeeded)
{
<li><a asp-area="" asp-controller="Home" asp-action="Admin">Admin</a></li>
}
EDIT (May 8th):
Using this doc from Microsoft, I got it to work. Added it to my Startup.cs:
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority = options.Authority + "/v2.0/"; // Microsoft identity platform
options.TokenValidationParameters.ValidateIssuer = false; // accept several tenants (here simplified)
});
Upvotes: 0
Views: 606
Answers (1)
Reputation: 3485
http://schemas.microsoft.com/ws/2008/06/identity/claims/role is the old SAML claim type format. For OIDC Azure AD will issue one or more roles claims.
To solve it ensure the following code is in place during service configuration:
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
Upvotes: 1
Related Questions
- ASP.NET Core MVC, Azure Role based Authentication - Authorize Attribute failure - no Role claim returned?
- Asp.net core mvc role-based authorization with Azure AD
- How do I use Azure AD authentication with SQL based role management in AspNet Core 3?
- Custom Role with .NET Core 3 Azure AD Authentication
- Dotnet Core 2.2 - Azure AD Auth Work but Roles Base Returns Access Denied
- ASP Core Azure Active Directory Login use roles
- Azure Active Directory user roles and authorization
- Authorizing users from Azure Active Directory
- ASP.NET Core 2.0 AzureAD Authentication not working
- Azure Active Directory authorization