I'm building a web API with .net core 3.1, I secured it with Azure Active Directory. The web API controllers should be authorized based on azure active directory groups. I get users groups in the access_token but I need to check those groups with MS Graph API because sometimes a user could have more than 200 groups and his token groups would be empty. I don't know how to do that with MS Graph API
My Contorller
[Authorize(Policy = "UserGroup")]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
return Ok("value");
}
}
Startup.cs
public class Startup
{
public Startup(IWebHostEnvironment environment)
{
var builder = new ConfigurationBuilder()
.SetBasePath(environment.ContentRootPath)
.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");
services.AddAuthorization(options =>
{
options.AddPolicy("Countries",
policyBuilder => policyBuilder.RequireClaim("groups",
Configuration.GetValue<string>("AzureSecurityGroup:UserGroup")));
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "my-client-id",
"ClientSecret": "my-client-secret",
"Domain": "mydomain.com",
"TenantId": "my-Tenant-id"
},
"AzureSecurityGroup": {
"UserGroup": "ExampleGroupID"
}
}
Thank you
