0

I have an AzureAD application registration for my front end SPA. I am using Angular with Microsoft’s @azure/msal-angular v2 authentication library. My app registration has all the necessary redirect URIs and configured for proper OAuth2 OpenID Connect using authorization code flow with PKCE. My app is using the Microsoft Graph API with only the User.Read scope. I can authenticate just fine. If my app, however, is only available for one group of people, defined by an AD group and assigned to the Users and Groups section in Azure, what is the best way to validate the logged in user is authorized? I’ve tried enabling optional group claims for the access token, but those don’t come through for some reason. I then tried adding roles-I have an “admin” role, which is the only one I need. This role is assigned to the AD group I mentioned earlier. The roles claim does come back, and I can use that, but this seems silly when I should be able to just validate if the logged in user is in my AD group. The roles approach does have the nice feature of just assigning users different roles to validate authorization for development purposes, but not sure if there’s a better way.

At some point there will be an API I need to plug in. Would it be best to get the claims from that and use that for validation?

Is there a scope or setting I’m missing? Am I achieving this all wrong? Thank you to all who reply.

J-man
  • 1,743
  • 3
  • 26
  • 50

1 Answers1

1

At this point, you have a SPA that calls a MS 1st party API, which is MS Graph.

Since you are acquiring an accessToken to MS Graph, this accessToken can not be changed - it is meant to be decoded and validated by MS Graph itself, so you will not be able to add any extra claim on that token since you do not control the resource.

Also, your client should treat the accessToken as an opaque string, you should never rely on any claim from the accessToken on the frontend.

You can read more about it here: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens

If you want to do some sort of authorization on the frontend, like deciding which routes your user will have access to, you need to rely on the idToken. For the idToken, you can enable the Groups claim and get a list of groups that the user is a member of.

If, as mentioned, later down the line you need to create a custom API and call it from your SPA, then, on that scenario, you can indeed add the Groups claim to the accessToken, because it will be a resource that you control, and then authorize the requests that hit your API based on that claim

MS has a sample that shows exactly how to use security groups for access control, using an Angular frontend with a .NET Core Web API. Give it a check here: https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/5-AccessControl/2-call-api-groups/README.md

Sérgio Correia
  • 446
  • 2
  • 3