0
votes

Hi I am working on Azure AD. I have one webapi project and swagger configured along with it. I have resisted two apps in azure ad. One for swagger and one for webapi app. Now I want to implement authorization based on groups. So now I want to call groups from microsoft graph api. From here on wards I am confused. To access groups I need to give permission to read graph in my azure Ad swagger app or webapi app? Swagger Authentication

Below is my code.

c.AddSecurityDefinition("oauth2", new OAuth2Scheme
                {
                    Type = "oauth2",
                    Flow = "implicit",
                    AuthorizationUrl = swaggerUIOptions.AuthorizationUrl,
                    TokenUrl = swaggerUIOptions.TokenUrl,
                    Scopes = new Dictionary<string, string>
                    {
                      { "read_user_groups", "https://graph.microsoft.com/Group.Read.All" }
                    }
                });

Now In azure Ad I have API Permissions and Expose API.

In my swagger App inside App registration I have API Permission and I have added Microsoft Graph and selected Groups.Read All. Then I have Expose API and we can add scopes. These two things are confusing me. My swagger app has to do groups based authorization on my web api? Can someone help me in this?

1
For "implement authorization based on groups", does it mean that you want to know which AD group the user is in cluded in when you call your web api? - Allen Wu
Currently In jwt token I have hasgroups:true so I want to call graph api to get groups. So from which app i should call graph? from my webapi app or swagger app registred in azure ad - Niranjan
In fact, there is a way you can get the group claim (which can tell the user is in which groups) directly from jwt token. Is it what you want to implement? - Allen Wu
But my intention is to call windows graph api. So to call microsoft graph api I need token. To generate token I need client id. So which client id I should use? webapp or swagger? - Niranjan
Expose API means this app represents the API you need to access. API Permission means this app will be used to make requests to web API app or Microsoft Graph resources. So it depends on which app you are protecting. Do you want to use swagger app to access your API and Microsoft Graph at the same time? - Allen Wu

1 Answers

1
votes

OK. I think I have got your ideas.

You want to give an access (to your web API) to users according to a group they belong to. Is that correct?

So, you need to call Microsoft graph to see the user is in which group.

In this case, you should call Microsoft graph from web api application. (not swagger app)

But, it's unnecessary to be so complicated.

As I mentioned in the comment, you can directly get the groups the user is included in from your jwt token.

You can include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest of your web api application:

"groupMembershipClaims": "SecurityGroup"

Then the token will contain the Ids of the groups that the use belongs to like below :

{
  "groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}

Then you can implement your authorization logic based on the groups id of the user.


Update:

You could add an appRole into your Azure AD app (your web api app) and assign users and groups to roles.

Then the users in the group will have the claim like below:

{
  "roles": ["{the role you customized}"]
}

After that, the role will be included in the access token. And you can implement your authorization logic based on the roles of the user.