Azure Ad Returning Roles in Claims but User.IsInRole returns false

2
votes

Any idea what might be causing this? I can see the claims in User.Claims The only thing I can think of is that the claims from Azure Ad Roles come back differently than what IsInRole() checks for?

CorpAdmin Role showing in claims.

User.IsInRole returns false

[Startup.Auth][3]

Just to clarify, I AM getting roles back but I think they are not being added to the list of claims correctly and I cannot figure out why. Nerith IsInRole or [Authorize(Roles="...")] will correctly check the roles claims.

5
c#azurerolesazure-active-directory
Joshua are you manually creating that claim? Normally the claim type for a role is schemas.microsoft.com/ws/2008/06/identity/claims/role not "roles" This may be why User.IsInRole cant find it. msdn.microsoft.com/en-us/library/…Macilquham
No this is created and returned from Azure Ad. Makes me wonder if it's a bug?Joshua Holden
Normally the JwtSecurityTokenHandler.ValidateToken(...) maps claims of type 'roles' to ".../claims/role", so IsInRole will work. How are you creating the ClaimsPrincipal from the JWT?Brent Schmaltz
@JoshuaHolden are you using a MVC app ? Are you talking about azure application roles or azure ad groups ?Thomas
Did you look at this answer stackoverflow.com/a/30098192/4167200 ?Thomas

5 Answers

8
votes

Anyone of these changes worked for me:

            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false,
                RoleClaimType = System.Security.Claims.ClaimTypes.Role
            },

or 

            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false,
                RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
            },
2
votes

You need to specify the name of the claims type that contains the roles. Like this:

TokenValidationParameters = new TokenValidationParameters
{
    ValidateIssuer = true,
    RoleClaimType = "roles"
},
1
votes

After a lot of digging I found what the issue was for us and some of these answers are correct but only if you have not configured your App Service to have Azure AD enabled. enter image description here

If you do this the RoleClaimType defined in code will not be used and it will set it to the default of "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", but all your role claims will be "roles".

The solution is to basically copy the claims from "roles" to the ClaimsIdentity.RoleClaimType. The solution was found here and mentioned above.

Solution:

public void ConfigureAuth(IAppBuilder app)
{
    //This setting ensures that we use the specified TokenValidationParameters.RoleClaimType below
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            //Omitted some stuff
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = true,
                RoleClaimType = "roles"
            }
        }
    );

    //Configure out OnAuth Method to fix the roles post auth
    app.Use((context, next) =>
    {
        OnAuth(context);
        return next.Invoke();
    });
    app.UseStageMarker(PipelineStage.PostAuthenticate);
}

private static void OnAuth(IOwinContext context)
{
    if (ClaimsPrincipal.Current.Identity.IsAuthenticated)
    {
        var claimsPrincipal = ClaimsPrincipal.Current;
        var claimsIdentity = claimsPrincipal.Identity as ClaimsIdentity;
        var appRoles = new List<Claim>();

        //local dev will be right
        if (claimsIdentity.RoleClaimType == "roles")
            return;

        //Find all the claims with "roles" and add a copy claim with the correct RoleClaimType.
        foreach (Claim claim in claimsPrincipal.FindAll("roles"))
            appRoles.Add(new Claim(claimsIdentity.RoleClaimType, claim.Value));

        if (appRoles.Count > 0)
            claimsIdentity.AddClaims(appRoles);
    }
}
0
votes

If you are having the same issue as I was, I created a custom AuthorizeAttribute class and I forget to override the AuthorizeCore function. Adding the code below resolved the issue for me.

    //Core authentication, called before each action
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return base.AuthorizeCore(httpContext);
    }
-1
votes
Add Validate Issuer= false;

TokenValidationParameters = new TokenValidationParameters
{
    ValidateIssuer = false,
    NameClaimType = "name",
    RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}