1

I like to know my understanding is correct and also like to clarify my doubts further.

1) Confirm my Understanding:

In the below image, I have explained my understanding of protecting the application and api using Azure AD. I have exposed the API with the SCOPE and the Application has consumed the same through the permission module.

enter image description here

Can someone please confirm my understanding is correct?

2) Should we pass Role in ACCESS_TOKEN?

This is where I require someone to help me. This is a code flow where the User login into the Application and while he tries to get the Todo list, an application sends a request to the API. In this communication, an application gets the ACCESS_TOKEN for the login-in user and passes it to the request going to the API.

At the API side, we have the policy where it checks the Scope coming through IHttpContextAccessor.HttpContext.User.Identity and make sure the Claim has scp/scope and it has the right value.

Now, all are going well. The questions here are:

  1. Should we not have Role (User's role) in the ACCESS_TOKEN? (When I said Role - I mean User's role not Application's role)

following the link at Microsoft documentation I am getting the role in claim when user login to the Application but to call the API I have to use ACCESS_TOKEN which I am getting through TokenAcquisition.GetAccessTokenForUserAsync and it doesn't include Role. It includes SUB, userPreferedName, email and Scope kind of detail (have checked in jwt.io)

  1. If the answer of Question #1 is "NO, we should not" what is the way for API to check the user's role and give the result? Is that something we need to stuff in SCOPE only?

REF: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

To give better context, I have added my Azure Configuration as well here.

enter image description here

Brijesh Shah
  • 573
  • 6
  • 18

1 Answers1

1
  1. Confirm my Understanding:

Based on your screenshot, your understanding is basically accurate.

Microsoft identity platform issues you an access token after you sign in, and then you use this access token to call your web API. The API will validate the access token and the permissions / roles, which determines whether you can access its data.

This Protocol diagram is clearer for your understanding.

enter image description here

  1. Should we pass Role in ACCESS_TOKEN?

Firstly, the link you shared is related to Application Roles. But you are not talking about that. What you are talking about is the AAD role (eg. Global admin, Group admin). Correct me if there is any understanding.

Honestly, AAD role should not be included in the access token because it's meaningless. To access your web API, you should define your own roles to control the permissions of users. AAD roles only work when you try to perform AAD or Microsoft Graph operations.

If the answer of Question #1 is "NO, we should not" what is the way for API to check the user's role and give the result?

You have found the correct guide: Add app roles to your application and receive them in the token.

You should use Application Roles. Define the User app role in the Azure AD app which represents your API and assign your users to the role. Then your API can check the user's role by verifying scopes and app roles.

There is another method to control the user's role: using Group Claims which is also mentioned in the link you shared. The detailed steps are listed here.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Hi Allen - Thanks for clarifying 1st item. Coming to 2nd one I am talking about Application specific roles only. (No Azure AD Role). I have 3 roles (Viewer, Contributor and Admin roles - Application specific roles may be content-writer 4th one) and I want to pass that to API along with the ACCESS_TOKEN. The link you gave it gives the Role in the token but that's the ID_TOKEN. but while you call the TokenAcquisition.GetAccessTokenForUserAsync it gives ACCESS_TOKEN and it does not include role in that. It includes SUB and SCOPE and such details. – Brijesh Shah Jan 05 '21 at 07:35
  • @BrijeshShah Viewer, Contributor and Admin are your custom roles right? It doesn't matter. Just follow the last part of my answer. You should pass them in the access token. – Allen Wu Jan 05 '21 at 07:37
  • @BrijeshShah Please note that **You should Define the User app role in the Azure AD app which represents your API**. Not in the Azure AD app which represents your client. Have pointed it in my answer. – Allen Wu Jan 05 '21 at 07:38
  • @BrijeshShah Defining the App role in Azure AD app of client only return app role in id token. To get it in access token, you should define it in Azure AD app of API. Similar issue: https://stackoverflow.com/questions/64456324/azure-ad-with-single-page-application-and-asp-net-core-web-api-how-to-access-al/64458043#64458043. – Allen Wu Jan 05 '21 at 07:44
  • Hi Allen - One question in that case. are you suggesting that User should added to the API as well? like the way, I am adding (or assigning the Role to the user) for my application, should I need to add user to API (or assigning them to the API as well)? At API side, I have only scope. – Brijesh Shah Jan 05 '21 at 07:47
  • @BrijeshShah Yes. Do the same thing that you have done in client app. – Allen Wu Jan 05 '21 at 07:48
  • @BrijeshShah What do you mean by "At API side, I have only scope"? – Allen Wu Jan 05 '21 at 07:49
  • Hi Allen - I have added the picture of my configuration which might give you better context and you can validate if something I am going wrong with my understanding – Brijesh Shah Jan 05 '21 at 08:06
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/226859/discussion-between-allen-wu-and-brijesh-shah). – Allen Wu Jan 05 '21 at 08:09
  • Hi Allen - Thanks for the explaination. It's much clear to me now. – Brijesh Shah Jan 05 '21 at 08:25