Accessing Roles claim in Azure AD secured Web Api

0
votes

We have an AspNet Core web site and related web api that are secured against Azure Active Directory. A manager logs into the website to manage staff that work in branches.

We currently define what branches a manager manages using "App Roles" that are defined in the application's registration manifest.

In the AspNet WebSite those roles are the returned in the ClaimsPrincipal.Claims collection under the ClaimTypes.Role, "http://schemas.microsoft.com/ws/2008/06/identity/claims/role".

However if we implement an AspNet web api that is called from that same AspNet WebSite the claim is not available in the api. For example

GET https://ourdomain.com/api/v1/managers/-/staff

In the AspNet web api I can inspect the claims via the HttpContext but the Roles claim type is not present.

How do I get the Roles claim in the api? I want to get at the individual values of the Role claims as that has the ID of the various branches.

The WebApi has its Auth defined usign Microsoft.Identity.Web

 public void ConfigureServices(IServiceCollection services)
 {
        services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
        services.AddControllers();
 }
1
azureazure-active-directorymsal
The app roles need to be defined in the manifest of the app registration used by the API for them to show up in the access token for that API.juunas
So that sounds like it is not posssible to get a list of the app roles a user is a member of from the web API as they are defined in the Application Registration of Web Site.Pat Long - Munkii Yebee
Yeah well, they might be available through Graph API, but it is definitely easier to either use the same app registration or define the roles again on the API or define the roles in the API only and read them in the client app from the API access token.juunas

1 Answers

0
votes

You can leverage Role along with Groups to control access of your application. You can define some application roles and assign the roles to the groups. Then the users in the group will have the claim like below:

{
  "roles": ["{custom_role}"]
}

To see details, refer to:

How to: Add app roles in your application and receive them in the token

Using groups vs using application roles for authorization in Azure AD apps

As @juunas said, you should define the app roles in the app registration used by the API (not client app).

For how to configure the client app and API app, you can find an sample and detailed steps from this another answer.