0

I have read a number of blogs including this:

https://www.codeproject.com/Articles/1254806/Authentication-and-Authorization-in-ASP-NET-Core-2

I am building building applications that use OpenIdConnect using Azure active directory. My desire is to limit access to each app to only users in specific groups. For example, App 1 can only be accessed by users in group 1 while app 2 is only accessed by users in group 2.

So, when a user of either app logins in using Azure AD, I want Azure AD to return the group claims for the logged in user. Based on the groups, I decide (from the app side) if the user is allowed to access the app or not. I have been able to figure out how to return the groups...

BUT

When I include the groupMemberClaims in the app manifest, I get the error Bad Request... which is as a result of too many headers added to the request since some of the users belong to so many security groups. This is my dilemma.

Anyone faced this issue before and how did you fix it?

WiKi
  • 13
  • 3

1 Answers1

1

Instead of relying on groups, you could define roles for users in your application manifest. Then you can assign these roles to users. If you have a paid license for Azure AD (I forget which tier), you can also assign user roles to groups.

Here is an example of a user role in the app manifest:

{
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Administrator",
      "id": "179c1dc0-4801-46f3-bc0d-35f059da1415",
      "isEnabled": true,
      "description": "Administrators can access advanced features.",
      "value": "admin"
    }
  ]
}

The value is what is given to your app in the token. After defining the role(s), click on the "Managed app in local directory" (which is the service principal). There you can find Users & Groups, and assign roles to users (and groups).

My article on the subject of roles and custom permissions: https://joonasw.net/view/defining-permissions-and-roles-in-aad

juunas
  • 54,244
  • 13
  • 113
  • 149