Reputation: 668
Get Azure app service roles in a blazor server
I used the out-of-the-box config to connect my Blazor app to AAD for SSO and that works great. Now, I am trying to use Azure App Service Roles to authorize users in various parts of the application. I have registered the app in Azure and created two roles. These roles are each assigned AAD groups.
When I look in the manifest the roles are there so it seems to configured correctly.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "this is the role description ",
"displayName": "Owner",
"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Owner"
},
{
"allowedMemberTypes": [
"User"
],
"description": "this is the role description",
"displayName": "Approver",
"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Approvers"
}
],
My problem is getting these roles in my Blazor server app. I was following this blog to get the Roles configured properly (https://code-maze.com/using-app-roles-with-azure-active-directory-and-blazor-webassembly-hosted-apps/) but its for WASM and I got the point of adding to the app roles and it wanted this using Microsoft.AspNetCore.Components.WebAssembly.Authentication; which I don't have in a server app.
I was reading about using MS Graph to get groups from AAD but that seems very complicated and much more than I need.
This one looked promising but I don't think its using the App Service Roles. How to use Azure AppRoles in Blazor Server with Azure Active Directory
Thanks for any direction you can provide
EDIT:
I found this article https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-7.0
but I'm in .Net6 and it doesn't seem to work. It doesn't recognize .AddDefaultIdentity. I do have builder.Services.AddIdentity<IdentityUser, IdentityRole>(); but not sure how to add my azure roles?
Is it this, with some role name? builder.Services.AddIdentity<IdentityUser, IdentityRole>() .AddRoles(???);
Upvotes: 1
Views: 899
Answers (1)
Reputation: 668
After a LOT of reading and two different headaches, I learned that the Azure roles come through the user Identity as a claim type of "role". I'm still learning but to see the claims I added
[CascadingParameter]
private Task<AuthenticationState>? authenticationState { get; set; }
and in OnInitialized
var authState = await authenticationState;
var test = authState.User.Claims.Where(x => x.Value == "Owner");
You can examine the Claims to see all the claims the user has. "Owner" is the name of the role I was looking for. And this worked.
I think you also have to wrap the contents of the App.razor file in a <CascadingAuthenticationState>
Like so:
<CascadingAuthenticationState>
<Router AppAssembly="@typeof(App).Assembly">
<Found Context="routeData">
<AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
<FocusOnNavigate RouteData="@routeData" Selector="h1" />
</Found>
<NotFound>
<PageTitle>Not found</PageTitle>
<LayoutView Layout="@typeof(MainLayout)">
<p role="alert">Sorry, there's nothing at this address.</p>
</LayoutView>
</NotFound>
</Router>
</CascadingAuthenticationState>
the only hangup I have now is I can't get the [Authorize(Roles="Owner")] attribute to work. I'll work that in another question if I can't figure it out.
Upvotes: 1
Related Questions
- Blazor HealthChecks - works on my system, error on Azure App Server
- Blazor Server Azure App Service Easy Auth
- Removal of Appsettings values in Azure App Service and Blazor Server
- Role-based authorization in Blazor WebAssembly .Net5 MsalAuthentication
- Best way to authorize with AzureAD app registration: roles or group claims when only one AD group is required for access
- Blazor server - Azure AD auth - fine in dev, deployed to Azure App not working
- Azure AD App Service Authorization for a Blazor App in Azure App Svc
- HTTP 403 Error when deploying ASP.NET App to Azure Web App