0
votes

I'm evaluating Azure B2C but can't work out whether it will be fit for the following scenario:

We have a single UI and and a single Web API. The API has two scopes defined: read and write.

The UI has two types of users: standard and admin. When a user logs in and gets an access token they both get a read scope but only an admin user should get write.

From what I've read Azure B2C doesn't support group based application, but is it possible to hook in to the token generation (e.g. a Function) and add a custom scope programmatically? I was thinking that if I can call a Function then this could check something to see if they should have the write scope added.

Thanks

1

1 Answers

0
votes

Scope o scp claims cannot be manipulated in B2C. However you can use custom policies and add (in a base policy) and output (in your relying party policy) a roles claim type so what your webapi do role base authorization (.NET core sample here). You can fill the roles values from the output claims provided by any technical profile which in turn relay on any configured Idp, AAD or even REST apis).