Reputation: 527
Azure AD roles claim missing in Token
I have an app where the AzureAD login is working fine. However, I would like to identify if the user is in a custom role defined on the App Registration.
I have added my user account to the custom role in the Enterprise Application linked to the App Registration.
The App Registration is set up with ID Token checked.
I have my program.cs with the following code:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
Yet when look at the User object, it has all my user information but no claim for roles.
Any idea why?
Thanks in advance, Jake.
EDIT: Claims token screenshot (url instead of friendly name for roles, tid, etc.)
Upvotes: 1
Views: 4853
Answers (1)
Reputation: 15574
To get the Azure AD role claims in ID token, check the below:
Create App roles in Azure AD Application:
In Enterprise Application, I added the role for a user:
Now, I generated tokens via Postman using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:ClientID/.default openid
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret
When I decoded the ID token, roles are displayed successfully:
The role claims will also be displayed in access token:
Now, I tried to sign-in with the user who is not assigned any roles in the application and the role claims did not display in the ID token:
To get Azure AD role claims using ASP.NET Core web app, refer this GitHub blog by aremo-ms.
In your Startup.cs file modify the code like below:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
services.AddAuthorization(options =>
{
options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
});
}
// In code..(Controllers & elsewhere)
[Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]
// or
User.IsInRole("UserReaders"); // In methods
Reference:
Add app roles and get them from a token - Microsoft Entra
Upvotes: 3
Related Questions
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- Azure AD: Roles claims missing in access token
- App roles & groups claim (emitted as roles) in Azure Active Directory App
- Assigned Azure AD Roles missing in User Claims in Blazor Client App
- Azure AD - return roles and groups in token SPA application
- ID token from Azure AD federation does not contains "roles" claim
- Missing app roles in access token from AzureAD
- Accessing Roles claim in Azure AD secured Web Api
- Azure AD - missing roles claim in the token