1

I tried the Role based Authorization in my .Net core 3.1 webapi using Azure AD. The issue is happening only when I specify Policy or Role in the Authorize attribute:

[Authorize(Policy = "p-web-api-with-roles-user")]
[Authorize(Roles="User")]

My controller:

[Authorize(Policy = "p-web-api-with-roles-user")]
public class BaseController : ControllerBase

ConfigureServcices in startup.cs:

        services.AddAuthentication(rootOptions =>
        {
            rootOptions.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
            rootOptions.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
        })
           .AddJwtBearer("AzureAD", options =>
           {
               options.Audience = configuration.GetValue<string>("Authentication:AzureAd:Audience");
               options.Authority = configuration.GetValue<string>("Authentication:AzureAd:Instance") +
               configuration.GetValue<string>("Authentication:AzureAd:TenantId");
               
               options.TokenValidationParameters = new TokenValidationParameters
               {
                   ValidIssuer = configuration.GetValue<string>("Authentication:AzureAd:Issuer"),
                   ValidAudience = configuration.GetValue<string>("Authentication:AzureAd:Audience"),
                   RoleClaimType = "roles",
                   NameClaimType = "name"
               };
           });

        services.AddAuthorization(policies =>
        {
            policies.AddPolicy("p-web-api-with-roles-user", p =>
            {
                p.RequireClaim("roles", "User");
                
            });
            policies.AddPolicy("p-web-api-with-roles-admin", p =>
            {
                p.RequireClaim("roles", "Admin");
            });
        });

My JWT looks like below:

{
  "aud": "f9ea4dcd-50f9-4bba-93ef-6514be396e98",
  "iss": "https://login.microsoftonline.com/b4f51282-6eb2-4a8b-ae76-6632f8c4936a/v2.0",
  "iat": 1643822217,
  "nbf": 1643822217,
  "exp": 1643826117,
  "aio": "AZQAa/8TAAAAOt6II6GXwVFVT8flEfLQBtBoG2nknE+AX4UCIYqyyXSxPw0Go6kECzgwaILMsxs4hgZBiiYz+Ovt6GzkrCAvA64tqYOEhlPbSjCk2+n/J84MTxS7OsdxWIrpRNzvCDTihvLfkxL7zBU9UU5069Dxgnj2dkBgqlI06g0YAvGrTHfLei3ym5iEe8NpUIsnBhBX",
  "idp": "https://sts.windows.net/cc994933-7128-4222-9d36-3e7f4fd81608/",
  "name": "Abhilash CR",
  "nonce": "8ce4cb72-f322-46a6-937c-d526fc2be1f1",
  "oid": "aefdda8f-f83f-4ace-8316-4e47d82c0d27",
  "preferred_username": "abhilash.cr@xyz.com",
  "rh": "0.AQ0AghL1tLJui0qudmYy-MSTas1N6vn5ULpLk-9lFL45bpgNAEk.",
  "roles": [
    "User"
  ],
  "sub": "B5soMutWa-fYNNShKCKA2QmNYi555yzTGGSScuMMfKg",
  "tid": "b4f51282-6eb2-4a8b-ae76-6632f8c4936a",
  "uti": "lazPqCkyIEioN0MHpycgAA",
  "ver": "2.0"
}

I am not sure what mistake I am making here. Simply keeping the [Authorize] attribute is not validating the roles. I want to validate the roles.

James Z
  • 12,209
  • 10
  • 24
  • 44
Abhilash
  • 11
  • 2
  • See following : https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/roles/creating-and-managing-roles-cs?force_isolation=true – jdweng Feb 02 '22 at 18:25

1 Answers1

0

I had a similar issue and it turned out that the claims in the user principle were being renamed.

So the collection “roles” in the JWT token was being converted into multiple claims of type

"http://schemas.microsoft.com/ws/2008/06/identity/claims/role".

You can specify the role claim type in your TokenValidationParameters as follows:

jwtOptions.TokenValidationParameters.RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";

Or you can stop the claims being renamed using

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear()

but this could cause issues if you have other logic which relies on the renamed claims types.

Mark McGookin
  • 932
  • 1
  • 16
  • 39