1

I have created a boiler plate .NET 6 MVC web application and chosen the Azure AD Authentication type and connected it to my tenant and Azure application. The Azure application has roles set up.

In other applications when I check for 'User.IsInRole(roleName)' it corrected identifies whether or not the current user has been assigned to that role.

In this new application none of the roles correctly appear as true.

In the Program.cs I have:

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ') ?? 
builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
        .AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
        .AddInMemoryTokenCaches();

builder.Services.Configure<OpenIdConnectOptions> 
(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    // The claim in the Jwt token where App roles are available.
    options.TokenValidationParameters.RoleClaimType = "roles";
});

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = options.DefaultPolicy;
});

and in my appsettings:

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "the.domain",
    "TenantId": "tenantId",
    "ClientId": "clientId",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "somesecret",
    "ClientCertificates": []
  },

What am I missing?

Cef
  • 661
  • 1
  • 6
  • 26
  • noob question, but have you [assigned the users to these app roles](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)? – Kalyan Krishna Jun 07 '22 at 09:50
  • see if you can run this [sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) against this app registration of yours – Kalyan Krishna Jun 07 '22 at 09:51
  • Yes, they have been assigned. – Cef Jun 07 '22 at 15:22
  • the sample works – Cef Jun 07 '22 at 23:52

1 Answers1

0

For whatever reason in the .NET 6 MVC app the RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" instead of "roles".

So in the Program make sure it looks like this:

builder.Services.Configure<OpenIdConnectOptions> 
        (OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    // The claim in the Jwt token where App roles are available.
    options.TokenValidationParameters.RoleClaimType = 
            "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
});
Cef
  • 661
  • 1
  • 6
  • 26