CODEWITHSUNDEEP
azureazure-active-directorymicrosoft-graph-apiasp.net-core-webapi
Daina Hodges
Daina Hodges

Reputation: 853

Authorize web api with Azure Active Directory Groups C#

I'm building a web API with .net core 3.1, I secured it with Azure Active Directory. The web API controllers should be authorized based on azure active directory groups. I get users groups in the access_token but I need to check those groups with MS Graph API because sometimes a user could have more than 200 groups and his token groups would be empty. I don't know how to do that with MS Graph API

My Contorller

[Authorize(Policy = "UserGroup")]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
   [HttpGet]
   public IActionResult Get()
   {
    return Ok("value");
   }
}

Startup.cs

public class Startup
{
    public Startup(IWebHostEnvironment environment)
    {
        var builder = new ConfigurationBuilder()
                .SetBasePath(environment.ContentRootPath)
                .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
                .AddEnvironmentVariables();
        Configuration = builder.Build();
    }

    public IConfiguration Configuration { get; }
    
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");            
        services.AddAuthorization(options =>
        {
            options.AddPolicy("Countries",
                    policyBuilder => policyBuilder.RequireClaim("groups",
                    Configuration.GetValue<string>("AzureSecurityGroup:UserGroup")));
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseHttpsRedirection();

        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

appsettings.json

{
  "AzureAd": {
      "Instance": "https://login.microsoftonline.com/",
      "ClientId": "my-client-id",
      "ClientSecret": "my-client-secret",
      "Domain": "mydomain.com",
      "TenantId": "my-Tenant-id"
    },
  "AzureSecurityGroup": {
      "UserGroup": "ExampleGroupID"
   }
}

Thank you

Upvotes: 0

Views: 955

Answers (1)

Allen Wu
Allen Wu

Reputation: 16438

For a user could have more than 200 groups, you can check _claim_names and make a call to the endpoint under _claim_sources to fetch the groups of the user.

You can also directly call Microsoft Graph API to retire current user's groups and authorize based on that groups.

Sample code in this answer for your reference.

Upvotes: 1

Related Questions