Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD B2C :: Roles claim is missing in access token

Tags:

oauth

azure

azure-ad-b2c

I have two registered applications in Azure AD B2C: azure functions application and frontend spa application. I call azure functions from frontend app and use implicit authorization flow. I use MSAL npm package to request access token.

I followed this article to setup roles for users: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

But access_token I receive in Frontend app is missing "roles" claim, as well as id_token. Here is access token I receive:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
  "iss": "https://<tenant_name>.b2clogin.com/<id>/v2.0/",
  "exp": 1595333452,
  "nbf": 1595329852,
  "aud": "3d6123b2-b436-46c0-bcde-e0b61b0ad827",
  "oid": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
  "sub": "e98c46c4-f13d-428e-9b7d-28ba3abeb060",
  "name": "Basic User",
  "emails": [
    "[email protected]"
  ],
  "tfp": "B2C_1_signin_v2",
  "nonce": "a70eece3-31d2-4cc3-8abb-0a56a95d4ba1",
  "scp": "demo.read",
  "azp": "d7787de1-6642-409f-b0b9-2f5608476367",
  "ver": "1.0",
  "iat": 1595329852
}.[Signature]

Why there are no roles in it?

like image 614
TanyaMy Avatar asked Sep 17 '25 06:09

TanyaMy

2 Answers

Application roles are not currently supported in Azure AD B2C.

You can raise user voice for your request Azure feedback portal or vote for an existing one.

For now, you can call MS Graph from AAD B2C custom policy, there is an ability to call APIs in Custom Policy using OAuth client credentials.

You can query the users group membership and then return the data back to B2C policy directly, and issue it into the token

https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api#oauth2-bearer-authentication

Then use this to get the data from MS Graph

https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange

or

You need to use either groups to manage this, or create an AAD App inside the B2C tenant and do the App Role assignments there. Then during the B2C policy execution, call a REST API to query the roles for the user and insert them into the B2C token. You need to use custom policy for this one. Please refer github sample similar to this

like image 116
Raghavendra beldona Avatar answered Sep 19 '25 19:09

Raghavendra beldona

As far as I can remember, B2C doesn't support Role claims. I've had to make use of a custom claim in the past and Sven Glöckner has written an article that describes something similar to what I've done.

In my case, I've added the role claim value to default to 'appMember', which was like the main role for a user on the site and if he had a UPN extension of our company, he would get a role like 'internalUser'. This is how we distinguished the permissions that would apply to the security trimming and downstream calls.

like image 44
Michael vd Berg Avatar answered Sep 19 '25 19:09

Michael vd Berg

Sign in to Comment

Related questions

How to Access Sharepoint Online API with v1 Azure AD Application and Client Credentials
Azure Linux Web App Default Page Isn't getting replaced
How to start a azure deallocated vm?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!