0

I have tried various authentication scenarios of Azure Active Directory across internet. All examples are focused only on Authorization by Authentication. I was looking for Authorizing the user based on Roles from my AAD App Registration.

Auth() Scenarios,

For example,

..\Controller\ArtistController.cs:

public class ArtistController : ApiController
    {
        [Authorize(Roles = "Admin, InternalAdmin")]
        public void Post(ArtistModel model)
        {
            // Do admin stuff here...
        }
    }

..\App_Start\Startup.Auth.cs [Not working]:

public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        SaveSigninToken = true,
                        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
                        RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                    }
                });
    }

..\App_Start\Startup.Auth.cs [Working]:

public void ConfigureAuth(IAppBuilder app)
{
    app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ConfigHelper.ClientId,
                Authority = ConfigHelper.Authority,
                RedirectUri = "<<Home_Url>>",
                PostLogoutRedirectUri = ConfigHelper.PostLogoutRedirectUri,

                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    NameClaimType = "upn",
                    RoleClaimType = "roles",    // The claim in the Jwt token where App roles are provided.
                },

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    AuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.Redirect("/Error/ShowError?signIn=true&errorMessage=" + context.Exception.Message);
                        return System.Threading.Tasks.Task.FromResult(0);
                    }
                }
            });
}

I understand that OWIN can wire any middleware to handle incoming http requests. Auth Middlewares like OpenId, WindowsBearerToken,...

Is UseOpenIdConnectAuthentication() the only correct middleware to authorize web resources by roles over UseWindowsAzureActiveDirectoryBearerAuthentication() based on this example?

Please suggest.

Ashokan Sivapragasam
  • 2,033
  • 2
  • 18
  • 39

1 Answers1

2

Yes, OpenID is the only middleware that will work for this. There is no alternative at this point to OpenID Connect.

I found the best way to set the roles is to add these roles in the manifest and then hard code the logic to give different permissions to different users.

This is the best sample that I have found for this so far. You just need to add the connection string to Azure SQL for it to work. https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims

Marilee Turscak - MSFT
  • 7,367
  • 3
  • 18
  • 28
  • Thanks for quick response! I have a scenario. User authenticates to Web App interactively, accessing the controller resources by role and Web App should call another Web Api resources with same privileges (roles). Is this possible? – Ashokan Sivapragasam Sep 27 '18 at 11:39
  • I was able to get the user access Web App Resources by roles and make Web App call another Web Api Resources by AAD_Bearer_Access_Token (without roles). Is this an universal approach? – Ashokan Sivapragasam Sep 27 '18 at 11:42