I created a new ASP.NET Core MVC 6.0 web application, and I defined it to use Microsoft Identity Platform for authentication, as follows:
Now I read this article which show how we can define different roles inside the AD app and assign users to them #
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
So I accessed the "ad" application inside Azure >> i added a role named "admins", as follow:-
But I am not sure how I can check this role ("admins") based on the login user inside my ASP.NET Core MVC web application? and can i use the [Authorized] attribute to check those roles? Can anyone help please?
Thanks
I agree with #Mohammad Hannan, the token you'll get will have those roles.
I tried to reproduce the same in my environment and got below results:
I created the application same as you and added App role like below:
You can assign this App role to users or groups like below:
Go to Azure Portal -> Azure AD -> Enterprise applications -> Your application -> Users and groups -> Add user/group
Now, add this API permission in application and make sure to grant admin consent like below:
I generated access token using client credentials flow via Postman like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
scope: api://<appID/.default
client_secret: <secret>
Response:
When I decoded the above token in jwt.ms, I got roles claim successfully like below:
Related
I have a multi tenant app registered on Azure Ad, and each time a user logs in I want to get all the users of the organization. I configured the app in my code and on Azure
My .net-core app with azure and
ms graph authorizations
So when someone logs in it asks for "read" permissions. Now I want to get all users of a specific tenant, I tried first on Postman
to get the access token and
get users with the token
it worked for this tenant because it is the app owner on Azure, but when I try with another tenant which is using my app, it doesn't work.
I got the access token for another tenant and then
I have an error
I'm a little bit confused, is it the right way to do that or did I miss something ?
EDIT : It works if someone of the other tenant grant admin consent here on Azure Ad, it adds Application Permissions but I don't want to do it on Azure but on the App
Hi I am working on Angular SPA and web API core. I am trying to implement authentication and authorization. I have done as below for now.
Registered one application for my front end application and added required redirect uri and modified manifest file to enable implicit flow. Also assigned some of the roles to it.
Registered one more application for my back end. I added scope in the form api/clientid. Then added client application id which is created in step 1.
User is successfully able to login to application.
Now my JWT token has roles in claim. In my API I have added [Authorize(Roles = "Engineers,Admins")]
So If user has any role Engineers or Admins in the JWT token as claims then they are allowed to access my API's
So far my authorization works fine. But coming to authentication part, currently all users of my azure AD tenant able to do login(User can hit my front end url and add user name and password then It will ask MFA and they will be landed in application home page).
If user is part of any of the roles above then only they can see data in home page because in home page I am calling some of the API's and I have added [Authorize(Roles = "Engineers,Admins")].
If suppose user is not part of above role they are still able to login (login means they are able to add user name and password and MFA) they will be landed in home page but they cannot see any data because api will be accessed only if they are part of Engineers,Admins roles.
My question is If user is not part of Engineers,Admins roles why they are able to login and come to home page. They should be restricted in Login step itself.
I am not really sure I am asking right thing here or I only confused my self between authentication vs authorization.
Currently I am doing authorization based on roles. Same thing I can accomplish using Groups also. In claims I can return groups and create policies and do the authorization. If user is part of the group then I can authorize. I am trying to understand what advantage I will get using roles over the groups.
Currently I have dev, prod and non prod environments. But Azure AD is universal and for there is no environment for azure AD. So Is it a good idea to have separate application registered in azure ad between the environments or can I use same app registered in azure AD between the environments. If I create separate application for each environments what advantage I will get?
I am really trying to understand above concepts and can someone give me some insights on the above things? It will be really helpful to me If someone help me to understand this concepts. Any help would be greatly appreciated. Thank you
I would like to implement Password Credentials flow in ASP Net Core. The idea is we created a service account (user#{tenant}.onmicrosoft.com) with Global Administrator role where this will read information on users behalf.
I also created app in app registration page and resource owner user flow as mentioned here.
By following the instructions in this document to test my created ROPC, I encountered the error as shown in the screenshot below.
The application is created in the Azure AD B2C -> App Registrations and I don't know why my ROPC is not working.
I really appreciate your response. Thank you.
Make sure you have registered the application as mentioned in the document and the account type should be "Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.".
For Testing Use the below Url and check the screenshot on how to pass the parameters
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token
I have a question regarding authentication in my web-app using Blazor WebAssembly ASP.NET Core hosted. The database used is Azure SQL.
I want to avoid storing passwords in the database and the users are therefore restricted to having a Microsoft-account (relevant to the project).
As of now, the user logs in with Azure AD as the third-party authentication provider. When redirected back to the web-app, a user is created with a claim which only consists of the Email from Azure. The user is directed to a registration page where the Email-input is set to the current user-claim email. When the user clicks the register button, the information provided is now stored in the database.
The problem is that I now have a user in the db, but the claim is still just the Email. I want to be able to use the AuthorizeView role tag on the different pages, and therefore wondered if its possible to update the claim with a role that the user specified in the registration-page? This data is at this point only stored in the database.
If this is a bad practice, is there any other similar way I could make this work?
To use the AuthorizeView role, roles claims should be return by your Identity provider (Azure AD in your case). Your application should ask those claims by asking the corresponding scope.
According to the doc : Permissions and consent in the Microsoft identity platform endpoint, the profile scope should return roles claims.
The doc Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory explains how to request scopes from Azure AD
I am writing an internal app where all the users are part of AD. I have the following steps to implement this. Is this correct?
Create Action filter to get all HTTP request to website and check in they are in the specific AD role needed (var isUserInRole = User.IsInRole("M2-ITU-PWApplicationDevelopers"))
If user is not in any of the application roles send user to error page
If user is in application role then Add users to SQL DB and link to Role table in DB so now I have the user/role data ready to use in DB along with other data
When user revisits check the database first before LDAP?
How do I set a cookie or something so that every request does not need through process once authenticated ?
Trying to understand the basics.. Maybe I am going about this all wrong ?
Use Windows Authentication. Your application need to be behind IIS to do it in ASP.NET Core 2.2 and lower, but starting ASP.NET Core 3.0 you can do it with Kestrel alone.
If you do that, you can skip steps 3 and 4. When a person is authenticated via Windows Authentication, the application gets a login token that contains all the security groups that the account is a member of. So User.IsInRole is pretty quick. There is no need to store that information in your own database.
You also don't need to worry about cookies.
The added benefit of Windows Authentication is that it can support seamless login: if your site is in the Trusted Sites in Internet Options, then IE and Chrome will automatically send the credentials of the user currently logged into Windows. The user doesn't have to type in their credentials.
Firefox uses its own network.negotiate-auth.delegation-uris setting for the same purpose.