Reputation: 51
Azure AD - return roles and groups in token SPA application
I created an Angular application with Implicit Grant Flow for authentication and a Web Api in .Net Core 3.1 following this tutorial: https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi
The problem is: I need to return the roles and/or groups of the logged User within the Bearer Token to authorize my API, but I'm not being able to do so.
I added the roles to the App Registrations Manifest here, added the claim 'groups' in the Token Configuration menu and set the "User assignment required?" as yes in my Enterprise App Configuration.
Even with all these configurations, I'm not able to return the roles/groups claims in the bearer token.
Example of the token the authentication returns:
{
"ver": "2.0",
"iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"sub": "AAAAAAAAAAAAAAAAAAAAABTOBMzzWB5LS36oSmQMgyc",
"aud": "ecb5e87f-6f34-4f05-8e8d-8d6149178926",
"exp": 1597173984,
"iat": 1597170084,
"nbf": 1597170084,
"name": "name",
"preferred_username": "[email protected]",
"oid": "00000000-0000-0000-fa54-d112egdce65a",
"tid": "9188040d-6c67-4c5b-b112-36a304b643ad",
"azp": "edeb4b7d-9cac-4f3b-a21d-ead77993689e",
"scp": "access_as_user",
"azpacr": "0",
"aio": "DYNhHjG*PSY1ceuC11yaLYcLta8zh49iA!l2UCbCsH9QlaUkEHVQ4paQFRmb!qv7J6yTbAQItGWDgCW9UgUipz4Xnma*DOkFFDNIZ5lkffThD*ie91XMzZIoPhUPwNHOt5dLrw3VASE2WCvJfvDFOQk$"
}
Am I doing something wrong? Is there any other way to authorize the logged user in a SPA Application, return the token with the roles and groups and send it to the Web Api?
Upvotes: 1
Views: 1040
Answers (2)
Reputation: 11
Hi You need go to azure ad -> app registrations -> your app -> taken configuration -> Add Groups Claim -> then select Security groups checkbox. Save. Then log out log in again and should be in taken under groups.
Upvotes: 0
Reputation: 16438
You should add the App Role into the manifest of the service app (TodoListAPI) rather than the client app (TodoListSPA).
Don't forget the assign the App Role to the users.
This should be able to fix your issue.
Upvotes: 0
Related Questions
- How do I authorize based on nested Azure AD groups?
- .NET Core 3.1: from Identity to Azure Active Directory - how to do roles? Using Groups?
- where should I create Active Directory app roles so that I can see those roles in the access token?
- Active Directory groups and roles
- Azure Active Directory RBAC Not Returning Roles in Bearer Token
- How to include roles into access token using Azure AD MSAL library
- How to do Authorization based on Azure AD groups?
- Azure AD does not return groups on claims
- Get Azure AD Groups Before Building Authorization Policies
- Azure AD and Group-based authorization with token in Web API