Azure Active Directory RBAC Not Returning Roles in Bearer Token

3
votes

I'm using the Azure AD Basic tier with an ASP.NET Core API, I've followed the RBAC sample. I've set up an application with roles in my manifest like so:

appRoles": [
    {
      "allowedMemberTypes": [ "User" ],
      "displayName": "Read Device",
      "id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
      "isEnabled": true,
      "description": "Can read a device.",
      "value": "read_device"
    },
    ...
]

I've setup my API to use the UseJwtBearerAuthentication middleware like so:

application.UseJwtBearerAuthentication(
    new JwtBearerOptions()
    {
        AuthenticationScheme = "Azure Active Directory",
        Authority = options.Authority,
        Audience = options.ClientId,
        TokenValidationParameters = new TokenValidationParameters()
        {
            RoleClaimType = "roles",
            ValidateIssuer = false
        }
    })

I've given my user the above 'Read Device' role:

enter image description here

I'm using Swagger UI to make the call to get the auth token. It calls the following URL:

https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
    response_type=token
    &redirect_uri=http%3A%2F%2Flocalhost%3A5100%2Fswagger%2Fo2c.html
    &realm=-
    &client_id=[Client ID]
    &scope=http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
    &state=oauth2
    &resource=[Client ID]

I suspected that I am not passing the correct values to the scope parameter, so I have tried asking for every scope I can think of:

&scope=openid
    %20email
    %20profile
    %20offline_access
    %20user_impersonation
    %20roles
    %20http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
    %20read_device

If I set "groupMembershipClaims": "All" in my manifest I can see group claims but I want roles instead. I'm able to login to call my API, however I never get any roles back in my JWT token, so I'm unable check the users role. What am I doing wrong?

3
azureasp.net-corejwtazure-active-directoryrbac
You've assigned the user to the app with that role?juunas
How are you getting the access token? Could you show that? If it is a delegated call with authorization code grant flow or similar then it should work..juunas
@juunas Updated question with the code snippet.Muhammad Rehan Saeed
Nothing obviously wrong on that side, but how are you actually generating an access token on the calling side?juunas
@junnas I've updated the URL I call to get the auth token. I suspect, I'm not passing the correct values to the scope parameter. What should go there?Muhammad Rehan Saeed

3 Answers

3
votes

It turns out I needed to request an id_token instead of a token. An id_token contains extra claims/scopes/resources about the user. I also needed to provide a nonce parameter containing a new random GUID on every request. Thus, I ended up with the following URL:

https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
    response_type=id_token
    &client_id=[Client ID]
    &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F
    &nonce=9ac5ad8d-df44-48e6-9bd6-e72743b3625c
2
votes

If you are want to enable the role be assigned to users or groups(allowedMemberTypes=User) :

  1. If you want to perform authorization using role claims , you could follow the steps in this code sample , you could find the roles claim is in the id_token .

  2. If you want to make a client app to call your web api , when user sign in ,app could check the access rules based on the role claim, you could use delegate flow(OAuth Authorization Code Grant,Implicit Grant Flow..),roles claim is in the access_token ;

If you want to specify the role be assigned to client applications(allowedMemberTypes=Application), you could use OAuth Client Credential Flow ,appRoles of resource app/api that are assigned to the client app, and you will find the roles claim in the access_token ,check the detail steps from here.

Please click here for more details .

0
votes

In my case I had mistakenly configured the App Registration to emit Security Groups as roles claims, thus overwriting the App Roles from the manifest. Removing the optional groups claim and logging back in correctly emitted the App Roles names in the roles claim of the id_token.