0

I am using Azure AD role based authentication, I have added 2 roles ( Observer, Reader ) in the Web-application and I have assigned specific users which works fine.

My question is that where should I create these Roles ? As of now, those are created under the Web-application however I feel that it should be created under the API application

enter image description here

If these roles are created under an API application, how can I generate the Access token when the Web application needs to interact with multiple APIs as I am not able to request for multiple scope(s)/resource(s)?

enter image description here

One Developer
  • 99
  • 5
  • 43
  • 103
  • It depends on what you use the roles for. Is it for controlling access to the web application only or do you need to limit access to the API too? When you say you use multiple APIs, are they registered in the same AAD tenant? – cgontijo Sep 30 '22 at 21:28
  • Yes, It is to control the access for both web and API.. Yes. All the APIs are registered in the same Azure AD – One Developer Sep 30 '22 at 21:51

1 Answers1

1

I tried to reproduce the same in my environment and i got below result.

When i tried to get access token with multiple Api in scope, i am getting error like below. enter image description here

Please note that you cannot generate access token with multiple Api in scope.

To confirm this, please check similar scenario by Juunas in this SO Thread, access token is valid for one API only

When I tried to add single scope, I am getting the access token successfully like below.

enter image description here

when I decoded that token, I got scp claims with role like below.

enter image description here

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Thank you for your time and effort. I understand token generation is limited to APIs, but what are the scenarios in which I need to create Roles in WebApps as opposed to WebAPIs? SPA applications require the Roles to be created in WebAPPs and WebAPIs for microservices. But, I need someone to guide me on my assumptions. – One Developer Oct 03 '22 at 13:10