Azure AD multitenant app - check if user is authorized to use my app

Question

I have developed a web site that integrates with Azure AD using asp.net and owin. I have registered the app as a multitenant app in AD, meaning that everyone with a work or school account can login to my application. That is fine, and is what I want, but after the user is authenticated I need to check if the signed in user is authorized to use my app (is he registered as a user? Do he have a license?) What is the recommended way to implement this? Do I hook up to the openid connect middleware SecurityTokenReceived event and do the check there?

Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenReceived = OnSececurityTokenReceived
            }

private Task OnSececurityTokenReceived(SecurityTokenReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
    {
        //check if this user is registered as a user of my app and has a valid license?;
        return Task.FromResult(0);
    }

Or is there a better way to do this? If this is the way to go, how will I handle it if the user should not be allowed to enter my application, should I somehow abort the login process and redirect to an error page?

score 1 · Answer 1 · edited May 23 '20 at 17:03

1

Yes, this is the correct approach, and if I have to abort the login process I will throw a throw a:

System.IdentityModel.Tokens.SecurityTokenValidationException("You are not allow to login to this application");

Source: https://www.microsoftpressstore.com/articles/article.aspx?p=2473126&seqNum=2

edited May 23 '20 at 17:03

double-beep

5,031
17
33
41

answered Apr 12 '20 at 18:35

rgullhaug

1,065
2
10
19

Azure AD multitenant app - check if user is authorized to use my app

1 Answers1