Azure AD - return roles and groups in token SPA application

1
votes

I created an Angular application with Implicit Grant Flow for authentication and a Web Api in .Net Core 3.1 following this tutorial: https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi

The problem is: I need to return the roles and/or groups of the logged User within the Bearer Token to authorize my API, but I'm not being able to do so.

I added the roles to the App Registrations Manifest here, added the claim 'groups' in the Token Configuration menu and set the "User assignment required?" as yes in my Enterprise App Configuration.

Even with all these configurations, I'm not able to return the roles/groups claims in the bearer token.

Example of the token the authentication returns:

  {
  "ver": "2.0",
  "iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
  "sub": "AAAAAAAAAAAAAAAAAAAAABTOBMzzWB5LS36oSmQMgyc",
  "aud": "ecb5e87f-6f34-4f05-8e8d-8d6149178926",
  "exp": 1597173984,
  "iat": 1597170084,
  "nbf": 1597170084,
  "name": "name",
  "preferred_username": "[email protected]",
  "oid": "00000000-0000-0000-fa54-d112egdce65a",
  "tid": "9188040d-6c67-4c5b-b112-36a304b643ad",
  "azp": "edeb4b7d-9cac-4f3b-a21d-ead77993689e",
  "scp": "access_as_user",
  "azpacr": "0",
  "aio": "DYNhHjG*PSY1ceuC11yaLYcLta8zh49iA!l2UCbCsH9QlaUkEHVQ4paQFRmb!qv7J6yTbAQItGWDgCW9UgUipz4Xnma*DOkFFDNIZ5lkffThD*ie91XMzZIoPhUPwNHOt5dLrw3VASE2WCvJfvDFOQk$"
}

Am I doing something wrong? Is there any other way to authorize the logged user in a SPA Application, return the token with the roles and groups and send it to the Web Api?

2
azureauthentication.net-coreazure-active-directoryroles
I've faced this issue many times. Your API needs to retrieve the groups and include in the token. - Thiago Custodio
take a look on this stackoverflow.com/a/60022121/1384539 - Thiago Custodio
You have to define the roles in the Manifest json. App Registration / Manifest. Here is a (bit old) tutorial how to create and assigns roles joonasw.net/view/defining-permissions-and-roles-in-aad - Zsolt Bendes
@ZsoltBendes I already added the roles to the Manifest and assined them to the users, but they are not returned in the Token after the login. - FullMdM
@ThiagoCustodio that link is not very helpful as I am trying to retrieve the roles and groups from a SPA application and not from a Asp Net MVC. - FullMdM

2 Answers

0
votes

You should add the App Role into the manifest of the service app (TodoListAPI) rather than the client app (TodoListSPA).

Don't forget the assign the App Role to the users.

This should be able to fix your issue.

0
votes

Hi You need go to azure ad -> app registrations -> your app -> taken configuration -> Add Groups Claim -> then select Security groups checkbox. Save. Then log out log in again and should be in taken under groups.