ASP Core Azure Active Directory Login use roles

4
votes

I created an Azure Active Directory Application and i want to use role based security. I followed the tutorial on: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

The login works, I added roles to the application manifest and assigned the role Approver to my own account. Now i want to use these roles.

After login the following works in the controller:

[Authorize]

But when adding the role the user is not authorized:

[Authorize(Roles="Approver")]

Also the following returns false:

User.IsInRole("Approver");

It seems the roles are not retreived, any suggestions on how to add the role functionality to this demo project?

3
asp.netazureasp.net-coreazure-active-directory
the given link is not available any moreMartin Meeser

3 Answers

4
votes

This code sample works for me after assign roles to account . Please debug application in this line: User.IsInRole("Approver"); , check whether {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}exists in user claims . And make sure you add roles which allowedMemberTypes is user , for example :

{
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Approver",
      "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
      "isEnabled": true,
      "description": "Approvers have the ability to change the status of tasks.",
      "value": "Approver"
    },

And you have assign the user role in Enterprise applications-->All applications--> find your app-->Users and groups--> add/edit a user and assign roles : enter image description here

6
votes

While using Azure AD For Groups, group membership information does not magically appear in an application, You will either need to use Graph API to get groups for a user after authenticating, Or Configure Azure AD to send back claims representing a user's group membership.

Configure Azure AD to send Group Claims:

Change application manifest by going Under Azure Portal => Azure Active Directory => App Registrations => All Apps => Select Your App => click the manifest from top action bar

Change groupMembershipClaims to SecurityGroup,

enter image description here

Once you have that, you should be receiving Group claims From Azure AD, We Can quickly see that by iterating over User 's Claims Property.

The value of claim will be Object IDs, You’ll need to know the object ID of the group or groups.

enter image description here

enter image description here

With the ID in hand, you can now define an ASP.NET Core authorization policy like below,

        services.AddAuthorization(options => {
            options.AddPolicy("Approver",
                    policyBuilder => policyBuilder.RequireClaim("groups",
                    "c63b2f53-eff9-4d68-8b47-07f151270c74"));
        });

You are all set to check against this policy, like below:

   [Authorize("Approver")] OR
   [Authorize(Policy = "Approver")]
1
votes

Please take a look at the following repo: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims

You need to register your application in the Azure portal and then go to the manifest settings to add the roles and GUIDs for each role.