StudentQuant
Reputation: 1
ASP.NET MVC using Azure AD for Authorization
I am trying to understand Authorization filters using Azure AD(Entra ID) for Authentication and Authorization. I have three roles created in Azure with users assigned to those roles. The app is successfully using Azure for Authentication but the Authorization isnt working.
When I go to https://localhost:sslport/ and https://localhost:sslport/Dashboard it allows all three users access after authenticating agains MS. But if I go to https://localhost:sslport/Dashboard/Settings, https://localhost:sslport/Dashboard/Administrator or https://localhost:sslport/Dashboard/Poweruser I get access denied.
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "qualified.domain.name",
"TenantId": "d1d5fe91-a895-45d7-964a-8ae51ff19d03",
"ClientId": "ac748c0f-f4f1-4351-b317-977d2edb81e1",
"CallbackPath": "/Signin-oidc",
"SignoutcallbackUrl": "/Signout-oidc"
},
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace AzureADRoles
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Administrator"));
options.AddPolicy("RequirePoweruserRole", policy => policy.RequireRole("Poweruser"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// Set RoleClaimType to "groups" to use Azure AD groups as roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages()
.AddMicrosoftIdentityUI();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapRazorPages();
});
}
}
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Linq;
namespace AzureADRoles.Controllers
{
//[Authorize(Roles = "Administrator,Poweruser,User")]
public class DashboardController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Policy = "RequireUserRole")]
public IActionResult Settings()
{
return View();
}
[Authorize(Policy = "RequireAdminRole")]
public IActionResult Administrator()
{
return View();
}
[Authorize(Policy = "RequirePoweruserRole")]
public IActionResult Poweruser()
{
return View();
}
}
}
Upvotes: 0
Views: 451
Answers (1)
Tiny Wang
Reputation: 16076
I trust you are trying to realize role-based access control(RBAC), we had a sample here.
We firstly need to have the Azure AD roles and assign to different users, then define and use the policy in the application.
var builder = WebApplication.CreateBuilder(args);
// This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration);
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme,options =>
{
// The claim in the Jwt token where App roles are available.
options.TokenValidationParameters.RoleClaimType = "roles";
});
// Adding authorization policies that enforce authorization using Azure AD roles.
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("mypolicy", policy => policy.RequireRole("Tiny.AccessEndpoint"));
});
builder.Services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
Create Azure AD roles and assign users or groups to this role.
Upvotes: 0
Related Questions
- azure ad difference between group based and role based authorization
- How do you create a custom AuthorizeAttribute in ASP.NET Core?
- Resolving instances with ASP.NET Core DI from within ConfigureServices
- Is it possible to pass authorized scope 'groups' to an Azure Enterprise OIDC app?
- ASP.NET Core Get Json Array using IConfiguration
- ASP.NET Core MVC, Azure Role based Authentication - Authorize Attribute failure - no Role claim returned?
- Dynamically adding policy claims for Blazor authorization
- Authenticate Azure API Management with OAuth2 using Azure AD