Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP Azure OAuth JWT App Roles

I've created an application in an Azure AD from a manifest with several appRoles inside of it, and I can assign users to these roles. After a user completes the single sign on, returns to my application and I then request a JSON Web Token from their login. The problem is, there are no assigned roles listed in the token I get back from Azure, as it would suggest there's supposed to be here.

Is there a configuration option I'm missing or is there an alternate way to find out their assigned role through the Azure Graph API?


Update:

After specifying the resource as the App ID URI when requesting the authorisation URL I've managed to get a little further.

I'm now getting back the following error (in the return URL):

"The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."

The user has definitely been assigned a role in the Azure AD control panel for the app, and the app client id in the error message matches the app's client id exactly.


Application config:

Azure AD Application config screen

User assigned a role:

Azure AD Application user role assignments

Error message after logging in and returning to app:

Azure AD Authentication error message

like image 849
Philip Avatar asked Oct 30 '22 07:10

Philip


1 Answers

@Phlip,Could you please try to set your application permission using PowerShell?

#1.down load Azure AD powershell and login in using your user in AD
$msolcred=get-credential
connect-msolservice -credential $msolcred

#2. get principal Id 
$ClientIdWebApp = '5b597c35-**-**-ad05-***'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp

# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and Use this methods to add member into role:

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "[email protected]"

Any updates or results, please let me know.

like image 199
Will Shao - MSFT Avatar answered Nov 15 '22 06:11

Will Shao - MSFT