ASP Core Azure Active Directory Login use roles

Question

I created an Azure Active Directory Application and i want to use role based security. I followed the tutorial on: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

The login works, I added roles to the application manifest and assigned the role Approver to my own account. Now i want to use these roles.

After login the following works in the controller:

[Authorize]

But when adding the role the user is not authorized:

[Authorize(Roles="Approver")]

Also the following returns false:

User.IsInRole("Approver");

It seems the roles are not retreived, any suggestions on how to add the role functionality to this demo project?

Answer 1

While using Azure AD For Groups, group membership information does not magically appear in an application, You will either need to use Graph API to get groups for a user after authenticating, Or Configure Azure AD to send back claims representing a user's group membership.

Configure Azure AD to send Group Claims:

Change application manifest by going Under Azure Portal => Azure Active Directory => App Registrations => All Apps => Select Your App => click the manifest from top action bar

Change groupMembershipClaims to SecurityGroup,

Once you have that, you should be receiving Group claims From Azure AD, We Can quickly see that by iterating over User 's Claims Property.

The value of claim will be Object IDs, You’ll need to know the object ID of the group or groups.

With the ID in hand, you can now define an ASP.NET Core authorization policy like below,

        services.AddAuthorization(options => {
            options.AddPolicy("Approver",
                    policyBuilder => policyBuilder.RequireClaim("groups",
                    "c63b2f53-eff9-4d68-8b47-07f151270c74"));
        });

You are all set to check against this policy, like below:

   [Authorize("Approver")] OR
   [Authorize(Policy = "Approver")]

Answer 2

This code sample works for me after assign roles to account . Please debug application in this line: User.IsInRole("Approver"); , check whether {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}exists in user claims . And make sure you add roles which allowedMemberTypes is user , for example :

{
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Approver",
      "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
      "isEnabled": true,
      "description": "Approvers have the ability to change the status of tasks.",
      "value": "Approver"
    },

And you have assign the user role in Enterprise applications-->All applications--> find your app-->Users and groups--> add/edit a user and assign roles :