ASP.Net Core Identity Combination of AAD-B2C with custom role store

Question

I am developing a ASP.Net Core Web app with an AAD-B2C as LogIn-Provider. So users have to log in first to access the site --> Authentication.

Then, I want to evaluate what the user actually is allowed to access --> Authorization

I have a requirement that RBAC is used and the roles are handled NOT in any kind of AD, but in our own database which again is behind a REST API. So I went with my custom implementation of Microsoft.AspNetCore.Identity.IUserRoleStore<MyUser> to retrieve my users and roles from my REST API and registered that in Startup.ConfigureServices

services.AddIdentity<MyUser, MyRole>();
services.AddTransient<IUserStore<MyUser>, MyUserStore>();
services.AddTransient<IUserRoleStore<MyUser>, MyUserStore>();

But now the default Authentication does not seem to work anymore (as MyUser is totally different from the ASP.Net default User, e.g. MyUser does not have User.Identity.IsAuthenticated). Also I can't see the site ever calling MyUserStore.IsInRoleAsync when I added a Razor directive like User.IsInRole("Admin").

Am I missing something ? Is is not possible to "split" ASP.Net Core Identity to handle Authentication one way (AAD-B2C) and Authorization another way (custom Store) at the same time? Or am I just calling it in a wrong way?

Answer 1

If you are using Azure AD B2C you need to have custom roles defined within your Azure AD and I am fairly certain that the situation you are describing is not supported. B2C does not include group claims in the token it sends to the application but some workarounds are suggested here. Azure AD B2C - Role management