Securing Angular & .Net Core API with Azure AD and Application Roles

0
votes

My system consists of Angular front end and .Net Core API back end. Both are registered as separate Active Directory apps within the Azure Portal.

Consequently, both apps are secured by Azure AD. API is exposed and consumed by authenticated users on Angular front end.

The problem is - I want users to have different kinds of user roles (User/Moderator/Administrator). These roles would make certain API end points accessible or inaccessible based on user role. User roles would also shape the UI on Angular.

From my research it appears that I can utilize something called Application Roles on Azure AD, however I am lost as to how I would implement them.

I have the following questions -

  1. On which registered Azure AD app (API or Angular) should the Application Roles be defined?
  2. How would I access these roles - are they contained within the bearer token or do I need to make Microsoft Graph API calls to retrieve them?
1
c#angularazureazure-active-directory

1 Answers

1
votes

On which registered Azure AD app (API or Angular) should the Application Roles be defined?

I'd say register them on the API app. You can't enforce those roles on the front-end anyway, so you need to implement authorization checks for them in the back-end at least.

How would I access these roles - are they contained within the bearer token or do I need to make Microsoft Graph API calls to retrieve them?

They will be in the access token if you define them in the API app and assign them to users. There is some limit to the amount that will be in the token if acquired through implicit flow, but if you have like 3 like you mentioned, you should be fine.