0

I have a Web API "App Registration" called "BackEnd_API" which defines some Application Roles and User Roles.

    {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "resource.READ allows you read access to all items in the application",
        "displayName": "resource.READ",
        "id": "9650cfb9-570d-4b79-1337-a01337ed6c29",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "resource.READ"
    },

I then have another Client Application "App Registration" called "Client_App" which consumes that API to which i've assigned the AppRoles "resource.READ" using either Azure_CLI or PowerShell. In the Azure Portal I can see that the Service Principal is assigned the role. When i use the Client_Credentials Flow the resulting access token DOES contain that Roles claim which i use on the BackEnd to authorize the caller. Until Here ALL Good.

Now, I want to consume the same Web API "BackEnd_API" from another Consuming Application using Managed Identities. So I've created another "App Service", enabled System Assigned Identity and assigned the AppRoles "resource.READ" using Azure CLI. In the Azure Portal I can see that the Service Principal is assigned the role.

I can get a Token using the JS Azure SDK.

var withClientSecretCredential = () => {
    require("@azure/core-auth");
    require('dotenv').config()
    const {
        ManagedIdentityCredential
    } = require("@azure/identity");
    const logger = require('@azure/logger');
    logger.setLogLevel('info');

    // Load the .env file if it exists
    const credentials = new ChainedTokenCredential(

    new ManagedIdentityCredential("54e5c672-872f-4866-b067-132973cb0c91"),
);

token = credentials.getToken(['api://e22fd9eb-3088-4155-936a-0919681c3eb5/.default']);
return token

But the received token in this case has no 'role' claims, so the API call fails to authorize.

I double checked roles and assignment all looks good; is this supposed to work ?

Token without 'role' claim.

{ "aud": "e22fd9eb-3088-4155-936a-0919681c3eb5", "iss": "https://login.microsoftonline.com/45591230-6e37-4be7-acfb-4c9e23b261ea/v2.0", "iat": 1634550153, "nbf": 1634550153, "exp": 1634636853, "aio": "E2ZgYGguYd9fNkv3pOV5Iduv2655AgA=", "azp": "7dd894ca-6c1b-45ae-b67c-75db99593a14", "azpacr": "2", "oid": "54e5c672-872f-4866-b067-132973cb0c91", "rh": "0.ARAAYH9ZRTdu50us-0yeI7Jh6sqU2H0bbK5Ftnx125lZOhQQAAA.", "sub": "54e5c672-872f-4866-b067-132973cb0c91", "tid": "45597f60-6e37-4be7-acfb-4c9e23b261ea", "uti": "qOLzTFlmw0yuWeFXXT1pAA", "ver": "2.0" }

Thanks for helping.

apiengineer
  • 1
  • 1
  • Yes it is supposed to work. So `54e5c672-872f-4866-b067-132973cb0c91` is the appid/client_id of the managed identity ? – Thomas Oct 18 '21 at 19:33
  • Yes, exactly is the objectID of the Service Principal created for the App Service Managed Identity. – apiengineer Oct 19 '21 at 09:08
  • it should not be the objectid but the appid/client_id. Looking at the documentation, you only need to pass the clientId for user assigned identity. Have you tried without passing the clientId ? https://learn.microsoft.com/en-us/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest – Thomas Oct 19 '21 at 09:33
  • 1
    @Thomas, you were right, using the Application_ID instead of the Object_ID i get the role claim in the token. – apiengineer Oct 20 '21 at 14:35

1 Answers1

0

The token you might be getting should be an access token and the roles you are looking for should be in the id token. Did you tried this by enabling "ID Token" in azure portal?

rinesh
  • 493
  • 1
  • 8
  • 26
  • Nope !! The problem is that i was specifiyng the ObjectID instead of the ApplicationID in the function new ManagedIdentityCredential("54e5c672-872f-4866-b067-132973cb0c91"). As specified in the SDK https://learn.microsoft.com/en-us/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest. After fixing that, roles poped up in the token ! – apiengineer Oct 20 '21 at 14:36