Azure AAD Role Based Authentication, User.IsInRole()

0
votes

I am using Azure AD role based authentication, I have added 2 roles ( Observer, Reader ) which are assigned to specific users which works fine. The manifest file has these 2 new entries in it. All the authentication is working normally, but I cannot get the User.IsInRole() to return true, always returns false

I have added the following code to the Startup.cs

app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = SettingsHelper.ClientId,
                    Authority = String.Format(CultureInfo.InvariantCulture,SettingsHelper.AADInstance, SettingsHelper.TenantId), 
                                                                                                                                                  PostLogoutRedirectUri = SettingsHelper.PostLogoutRedirectUri,

                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                    {
                        // map the claimsPrincipal's roles to the roles claim
                        RoleClaimType = "roles",
                    },
}

When I query User.IsInRole("Observer") it returns false. I can see the claim in my debug session of User

{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Observer}

But not able to access it, is this a common problem am I doing something wrong?

Here is my USER session var

enter image description here Thanks

3
asp.net-mvcazureazure-web-app-serviceazure-active-directory
Would this work: RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"?juunas
Hi that is just setting the variable RoleClaimType ?user142617
Yeah, since your claim type is not "roles".juunas
Hi juunas I don't understand what you mean ?user142617
Change RoleClaimType to http://schemas.microsoft.com/ws/2008/06/identity/claims/role not role.juunas

3 Answers

3
votes

{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Observer}

How did you add the custom role? Here are the steps which work for me to add the custom roles for your reference:

  1. register the apps on Azure AD
  2. modify its manifest to add the custom role like below:

"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Orders",
      "id": "51e10148-16a8-432a-b86d-ef620c3e48ed",
      "isEnabled": true,
      "description": "Oders can rise a order request",
      "value": "Orders"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "51e10148-16a8-432a-b86d-ef620c3e48ec",
      "isEnabled": true,
      "description": "Admins can manage roles and perform all task actions.",
      "value": "Admin"
    }
  ],
  1. assign the role to users through the portal
  2. using the code as in your orignal post to integrate the web app with Azure

  app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    RedirectUri = postLogoutRedirectUri,
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                    {
                        // map the claimsPrincipal's roles to the roles claim
                        RoleClaimType = "roles",
                    },
                });

Then we can get the roles as figure below:

enter image description here

2
votes

I had exactly the same problem and the answer for me was to do what @juunas is saying in his comment on your original question here: Azure AAD Role Based Authentication, User.IsInRole()

So literally change that line in your Startup.Auth.cs, so it now becomes:

TokenValidationParameters = new 
System.IdentityModel.Tokens.TokenValidationParameters
{   
    // map the claimsPrincipal's roles to the roles claim
    RoleClaimType = 
        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
},

@juunas - thank you very much for your help.

1
votes

By default, the claims mapping will map claim names in the old format to accommodate older SAML applications. The default mapping is 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'. So you can use this:

public void ConfigureServices(IServiceCollection services)
{
    // This is required to be instantiated before the OpenIdConnectOptions starts getting configured.
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
    ...
}