Azure Active Directory user roles and authorization

1
votes

I have application hosted on Azure, Angular 4 on front and .net core 2.0 on back-end. What I want to achieve is: To add Roles to my users who are added to my Azure Active Directory. Authentication is implemented and works well. I use ADAL and I send my bearer token with every request.

  1. These are my app roles defined in the manifest on azure portal:

    "appRoles": [
{
  "allowedMemberTypes": [
    "User"
  ],
  "displayName": "Reviewer",
  "id": "0238c2bb-9857-4d07-b760-a47ec621d57a",
  "isEnabled": true,
  "description": "Reviewer only have the ability to view tasks and their statuses.",
  "value": "Reviewer"
},
{
  "allowedMemberTypes": [
    "User"
  ],
  "displayName": "Approver",
  "id": "000018cb-19e3-4f89-bf99-5d7acf30773b",
  "isEnabled": true,
  "description": "Approvers have the ability to change the status of tasks.",
  "value": "Approver"
}

    ]

  2. Approver role is assigned to the desired user.

  3. I send request to the back-end (.net core 2.0 web api) where I have [Authorize] attribute and I check the user claims User.Claims.ToList() then I recieve that the user is approver:

[15]{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Approver}

And that's great!

  1. Now I add policy in startup.cs

    services.AddAuthorization(options =>
{
    options.AddPolicy("ElevatedRights", policy =>
      policy.RequireRole("Approver"));
});

  2. Then this is the step where the problem happens. I add the following code in the controller (see step 3). I change the [Authorize] method with [Authorize(Policy = "ElevatedRights")] but I got rejected then. I even tried with [Authorize(Roles = "Approver")]

What do I miss or do wrong?

P.S. Feel free to suggest better title for the question.

1
angularazureazure-active-directoryasp.net-core-2.0user-roles
I'm not sure if it's necessary in this case, but have you specified the RoleClaimsType on your AddJwtBearer call? Something like: AddJwtBearer(o => o.TokenValidationParameters = new TokenValidationParameters { RoleClaimType = ClaimTypes.Role }). Instead of ClaimTypes.Role, you can also try "roles".juunas
Hmm tnx for your answer @juunas I'll try right now and see if something changesSaso
It's same like before...Saso
The test looks like this in the source code: github.com/aspnet/Security/blob/dev/src/…. So the problem should be related to it not realizing what the user's roles are. You might be able to instead use RequireClaim(ClaimTypes.Role, "Approver").juunas
That's it! Thank you. You can write answer if you want right away :) p.s I'll try without the code from your first comment now and let you know if it should be there.Saso

1 Answers

1
votes

Seems like it does not know which claim to map the roles to.

You might be able to instead use RequireClaim(ClaimTypes.Role, "Approver").

Another possible way (which should work) is to specify the RoleClaimsType on your AddJwtBearer call. Something like:

AddJwtBearer(o => o.TokenValidationParameters = new TokenValidationParameters { RoleClaimType = ClaimTypes.Role })`.

Instead of ClaimTypes.Role, you can also try "roles".