Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD v2 roles not included in Access Token

Tags:

c#

asp.net-core

active-directory

azure-active-directory

azure-ad-graph-api

I'm using https://login.microsoftonline.com/.../oauth2/v2.0/token to authenticate (authorization_code grant) to azure Ad using the scopes: offline_access, openid, profile, User.Read

According to the documentation the Access Token I receive should contain the roles of the user: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

However only the identity token returns the roles:

--Access Token
{
  "typ": "JWT",
  "nonce": "IWTwK2P0vzHoNnv1vvvSsjZSbAYPpSIk8MozY0A4WR0",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "scp": "User.Read profile openid email",
...
}.[Signature]

--Identity Token
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "roles": [
    "MyApp.Read",
    "MyApp.Admin",
    "MyApp.Write",
  ],
...
}.[Signature]

Is there a way to make the access token also include the roles?

like image 993
Murdock Avatar asked Feb 24 '21 09:02

Murdock

1 Answers

Thanks to @juunas for the tip, @juunas is right. If you are using a custom api, the user token can also contain roles claim.

You need to create two applications in Azure, one representing the client application and the other representing the api application, and then use the client application to call the api application.

First, you need to expose the API of the back-end application protected by Azure and add the client application:

enter image description here

Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

enter image description here

Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

enter image description here

Next, go to the client application, give your client application access to your backend api:

  • Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
  • Find your backend application and select the appropriate scope.
  • Click 'Add permissions'.
  • Grant admin consent for your APIs.

Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

enter image description here

Parse the token, it contains both scp claims and roles claims.

enter image description here

like image 54
Carl Zhao Avatar answered Oct 09 '22 22:10

Carl Zhao
Sign in to Comment

Related questions

What's the counterpart to JObject.FromObject in System.Text.Json
Using Active Directory and Windows Authentication to give custom roles in Blazor Server
How to disable the default authentication scheme, when non-default schema is provided
Cookie.ExpireTimeSpan ignored and set to Session in CookieAuthentication
Swagger response description not shown
RSA Disposed Object Error - every other test
Can a C# class call an interface's default interface method from its own implementation?
JWT Bearer Token not working with ASP.Net Core 3.1 + Identity Server 4
Entity Framework Core where clause with multiple values
EF Core - How to Configure Column Type depending on the Database Provider used
Underlying connection was closed with linkedin
Entity Framework and SQLite, the ultimate how-to
.NET Core 3.1 HttpClient throws exception intermittently: SocketException: The I/O operation has been aborted because of either a thread exit or an
How to Mock BlobContainerClient() of Azure.Storage.Blobs?
SSL Client Authentication with certificate using c#
CallerArgumentExpression always null
How to deserialize an empty string to a null value for all `Nullable<T>` value types using System.Text.Json? [closed]
Is there a way to start the EventStore served in Windows (without using docker at all)?
DotNet not valid certificate found
BLE GATT getting disconnected sometimes after connection with exception 'GattCallback error: 133' in xamarin forms

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!