I have an Angular SPA front end which is back up by an ASP.net core 2 web API which sits in a different Azure Web App. This web API is locked down by Azure AD and the AD tenant is same for both Angular and back end API. I want all users in the Azure AD tenant to be able to access the front end and back-end API. However, few users need to have specific permissions to be certain things (Create/update).
I can create an app registration in Azure AD and use the same app registration for both SPA and back-end API. And then use ADAL.js in SPA to get access token and id token and pass this to back-end web API. What I am not sure is, will the user's role be flown in the claims to the web API? I am planning to add users to specific application roles.
Roles will be in the id token if the user has roles on the app they are signing into.
With SPAs registered as Native apps, you basically can't have roles since the user is in full control of the front-end anyway.
Roles will be in the access token if the user has roles on that API.
Two options that you have:
Use the same app registration like you said. Assign the user roles on that app, and they will be in the Id token. Then you use the Id token to call the API, and it can see the roles as well.
Assign the user roles on the API, and inspect their roles by decoding the access token in the front-end.
Related
i have implemented Azure B2C Attentication in Xamarin using Microsoft.Identity.Client nuget package.
after successful login it returning me a Id_Token and if I use this Id token to fetch the web api then the unAuthorid 401 error.Im using this scope
https://{TenatName}.onmicrosoft.com/api/Read.All
You need to create two applications in the Azure AD B2C portal, one representing the client application and the other representing the api application, then use the user to log in to the client application, and use the client application to access the api application.
First, you need to expose the api of the api application:
Next, go to the client application, add the scope exposed by the api application to the client application (you can find your exposed api permissions in My APIs), so that the client can access the api, and then grant the admin consent for the permission.
Finally, I use the ROPC user flow to obtain the token.
Parse the token:
I am building an asp.net core web API project, with Angular client for front-end. We are using azure b2c as our IDP server, (for registration, authentication and related topics). So far the experience is great.
The issue we are having right now, is that we are trying to add 'admin' role to some of our users, who will be allowed to reach some endpoints of our web API, and do some operations that normal users won't be allowed to.
Since we are using asp.net5 web API for our back-end, in a normal environment, this would be done through [Authorize (Role = "Admin")] attribute, however in Azure b2c it seems not a straight forward thing to do.
Right now, we need 2 types of user roles: User role and Admin role.
Anyone knows how to add user roles in a azure b2c app, and then protect the back-end API endpoints for those roles?
Thank you!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" or "User consent for API Scopes".
These are the ways to implement RBAC using Azure AD B2C.
i was searching about authentication
i found out that using jwt for authenticate the the website/app to access the web api
but when i want to authenticate users should i use jwt or identity ?
example scenario:
i have a frontend website and webapi for data base communication
and on the website i have users , admin,owner (three types of users with three types )
for the website to access the web api i will use the jwt but when i want to authorise users which authentication should i use ?
my logic says the website will have access to the data base using webapi with jwt then check the users and claims and handle the users authentication with identity i am i right ?
thanks
I think you are looking for Identity User:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio
You also want to integrate with Roles:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1
This works really great with Entity Framework Core
I have a question regarding authentication in my web-app using Blazor WebAssembly ASP.NET Core hosted. The database used is Azure SQL.
I want to avoid storing passwords in the database and the users are therefore restricted to having a Microsoft-account (relevant to the project).
As of now, the user logs in with Azure AD as the third-party authentication provider. When redirected back to the web-app, a user is created with a claim which only consists of the Email from Azure. The user is directed to a registration page where the Email-input is set to the current user-claim email. When the user clicks the register button, the information provided is now stored in the database.
The problem is that I now have a user in the db, but the claim is still just the Email. I want to be able to use the AuthorizeView role tag on the different pages, and therefore wondered if its possible to update the claim with a role that the user specified in the registration-page? This data is at this point only stored in the database.
If this is a bad practice, is there any other similar way I could make this work?
To use the AuthorizeView role, roles claims should be return by your Identity provider (Azure AD in your case). Your application should ask those claims by asking the corresponding scope.
According to the doc : Permissions and consent in the Microsoft identity platform endpoint, the profile scope should return roles claims.
The doc Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory explains how to request scopes from Azure AD
I've created a mvc web application that uses openid to authenticate with Azure Ad and get the claims along with the token. I'm interfacing with Web Api to do the business transactions. The web Api is configured to oauth bearer tokens.
I've created separate oauth clients in Azure Ad for the Web App and Web Api. I'm able to get a token for Web Api from the Mvc Controller using AuthenticationContext to send to request to Web Api. I need to know how I can send the current User Claims as well to the Web Api. The claims in the Web Api are not having the claims of the User from the Web App.
Let me provide a bit more context here. I've created a MVC Web Application and a Web Api layer. The MVC Web App is configured to use OpenID authentication using Azure AD and I've configured the Web Api layer to authorize using OAuth Bearer tokens. The actions in the Web Api layer will be called through ajax requests and the bearer token will be added to the header of each Ajax requests. When the User is authenticated in the Web App, additional claims are added to the User on top of the claims from Azure Ad. I'm able to create a token for the Web Api layer using AuthenticationContext.AcquireToken, but the token for Web Api does not have the User info from the Web App.
I'm taking a wild stab in the dark here, based on what I think is happening.
Claims are attached the user, so theoretically, any claim you add in one place should be available in the other, as long as both applications share the same user datastore. However, claims are loaded at the point of authentication and not dynamically updated. As a result, if you're already logged in to the web application and you add a claim with your Web Api, that claim will not be available on the web application side until the user is re-authenticated.