Azure AAD ClaimsPrincipal IsInRole always returns false

0
votes

I'm having an issue using Azure AAD appRoles and MVC, i have modified the manifest added a few roles and assigned them to a couple of users.

However when i try using either User.IsInRole or ClaimsPrincipal.Current.IsInRole it always returns false.

Click Here to see

The role is being return in the json of Claims in the screenshot above {roles:SuperAdmin}.

I have done alot of reading up and as far as i can see i am doing everything correctly but cant find a reason why?

Below is my Startup.Auth.cs

public partial class Startup
{
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

    public static readonly string Authority = aadInstance + tenantId;

    // This is the resource ID of the AAD Graph API.  We'll need this to request a token to call the Graph API.
    //string graphResourceId = "https://graph.windows.net";

    public void ConfigureAuth(IAppBuilder app)
    {
        ApplicationDbContext db = new ApplicationDbContext();

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = Authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    RoleClaimType= "roles"
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                    AuthorizationCodeReceived = (context) =>
                    {
                        var code = context.Code;
                        ClientCredential credential = new ClientCredential(clientId, appKey);
                        string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                        AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));

                        return Task.FromResult(0);
                    }
                }
            });
    }
}
1
c#azureazure-active-directoryclaims-based-identityasp.net-mvc-5.2
I can't reproduce your problem . You could try code sample to check whether it works or provide more details to help reproduce that . - Nan Yu
i can reproduce using the sample code if you turn on "App Service Authentication" roles do not work - RingoCrazy

1 Answers

0
votes

Since you are using OpenID Connect Owin middleware to sign-in users from Azure AD , you doesn't need to enable App Service Authentication / Authorization feature , that feature provides a way for your application to sign in users so that you don't have to change code on the app backend. Just turn off the App Service Authentication / Authorization feature .