Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP Core Azure Active Directory Login use roles

I created an Azure Active Directory Application and i want to use role based security. I followed the tutorial on: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

The login works, I added roles to the application manifest and assigned the role Approver to my own account. Now i want to use these roles.

After login the following works in the controller:

[Authorize]

But when adding the role the user is not authorized:

[Authorize(Roles="Approver")]

Also the following returns false:

User.IsInRole("Approver");

It seems the roles are not retreived, any suggestions on how to add the role functionality to this demo project?

like image 375
phicon Avatar asked Dec 19 '22 07:12

phicon


2 Answers

While using Azure AD For Groups, group membership information does not magically appear in an application, You will either need to use Graph API to get groups for a user after authenticating, Or Configure Azure AD to send back claims representing a user's group membership.

Configure Azure AD to send Group Claims:

Change application manifest by going Under Azure Portal => Azure Active Directory => App Registrations => All Apps => Select Your App => click the manifest from top action bar

Change groupMembershipClaims to SecurityGroup,

enter image description here

Once you have that, you should be receiving Group claims From Azure AD, We Can quickly see that by iterating over User 's Claims Property.

The value of claim will be Object IDs, You’ll need to know the object ID of the group or groups.

enter image description here

enter image description here

With the ID in hand, you can now define an ASP.NET Core authorization policy like below,

        services.AddAuthorization(options => {
            options.AddPolicy("Approver",
                    policyBuilder => policyBuilder.RequireClaim("groups",
                    "c63b2f53-eff9-4d68-8b47-07f151270c74"));
        });

You are all set to check against this policy, like below:

   [Authorize("Approver")] OR
   [Authorize(Policy = "Approver")]
like image 60
pk_code Avatar answered Dec 30 '22 06:12

pk_code


This code sample works for me after assign roles to account . Please debug application in this line: User.IsInRole("Approver"); , check whether {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}exists in user claims . And make sure you add roles which allowedMemberTypes is user , for example :

{
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Approver",
      "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
      "isEnabled": true,
      "description": "Approvers have the ability to change the status of tasks.",
      "value": "Approver"
    },

And you have assign the user role in Enterprise applications-->All applications--> find your app-->Users and groups--> add/edit a user and assign roles : enter image description here

like image 22
Nan Yu Avatar answered Dec 30 '22 06:12

Nan Yu