Roles/Groups Azure Active Directory and access them with Blazor WASM AuthorizeView

Question

Hey Login and Logout works as expected.

I have created roles in the App registration.

In the Manifest I have changed groupMembershipClaims from null to "All"

"groupMembershipClaims": "All",

Those roles have been assigned to me (Alex) and to 2 created groups (enterprise application screenshot):

Programm.cs / Added options.UserOptions.RoleClaim = "appRole"

  builder.Services.AddMsalAuthentication(options =>
    {
        builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
        options.ProviderOptions.DefaultAccessTokenScopes
            .Add("https://graph.microsoft.com/User.Read");
        options.ProviderOptions.LoginMode = "redirect";
        options.UserOptions.RoleClaim = "appRole";
    });

When I try to access them, for example with: Roles="dog_cc_ma"

@page "/"
@inject Microsoft.Extensions.Localization.IStringLocalizer localizer
@attribute [Authorize]

@localizer["helloworld"]!


    
        Hello, @context.User.Identity?.Name! 

        @context.User.Identity?.AuthenticationType;
           
                @foreach (var claim in context.User.Identities)
                {
                    @claim.RoleClaimType
                    @claim.AuthenticationType
                    @claim.Actor
                    @claim.NameClaimType
                    @claim.Label
                
                }
                
             
    
    
  
    



    You can only see this if you're an admin or superuser.
    Hello, @context.User.Identity?.Name! 



    You can only see this if you have a dog insurance.
    Hello, @context.User.Identity?.Name! 



    You can only see this if you have a travel insurance.
    Hello, @context.User.Identity?.Name!

It doesn't work, anyone know why....?

claim.loop

Best, Alex

Alexander · Accepted Answer

SOLUTION

Add 2 classes and 1 extra to Program.cs, than it works.

RemoteUserAccount.cs

public class CustomUserAccount : RemoteUserAccount
    {
        [JsonPropertyName("roles")]
        public string[] Roles { get; set; } = Array.Empty();

    }

CustomAccountFactory.cs

public class CustomAccountFactory
: AccountClaimsPrincipalFactory
{
    private readonly ILogger logger;
    private readonly IServiceProvider serviceProvider;

    public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
        IServiceProvider serviceProvider,
        ILogger logger)
        : base(accessor)
    {
        this.serviceProvider = serviceProvider;
        this.logger = logger;
    }
    public async override ValueTask CreateUserAsync(
        CustomUserAccount account,
        RemoteAuthenticationUserOptions options)
    {
        var initialUser = await base.CreateUserAsync(account, options);

        if (initialUser.Identity.IsAuthenticated)
        {
            var userIdentity = (ClaimsIdentity)initialUser.Identity;

            foreach (var role in account.Roles)
            {
                userIdentity.AddClaim(new Claim("appRole", role));
            }
        }

        return initialUser;
    }
}

Program.cs

builder.Services.AddMsalAuthentication  (options =>
            {
                builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
                options.ProviderOptions.DefaultAccessTokenScopes
                    .Add("https://graph.microsoft.com/User.Read");
                options.ProviderOptions.LoginMode = "redirect";
                options.UserOptions.RoleClaim = "appRole";
            }).AddAccountClaimsPrincipalFactory();

Roles/Groups Azure Active Directory and access them with Blazor WASM AuthorizeView

Answers (1)

Related Questions