1

I created an Angular application with Implicit Grant Flow for authentication and a Web Api in .Net Core 3.1 following this tutorial: https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi

The problem is: I need to return the roles and/or groups of the logged User within the Bearer Token to authorize my API, but I'm not being able to do so.

I added the roles to the App Registrations Manifest here, added the claim 'groups' in the Token Configuration menu and set the "User assignment required?" as yes in my Enterprise App Configuration.

Even with all these configurations, I'm not able to return the roles/groups claims in the bearer token.

Example of the token the authentication returns:

  {
  "ver": "2.0",
  "iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
  "sub": "AAAAAAAAAAAAAAAAAAAAABTOBMzzWB5LS36oSmQMgyc",
  "aud": "ecb5e87f-6f34-4f05-8e8d-8d6149178926",
  "exp": 1597173984,
  "iat": 1597170084,
  "nbf": 1597170084,
  "name": "name",
  "preferred_username": "email@outlook.com",
  "oid": "00000000-0000-0000-fa54-d112egdce65a",
  "tid": "9188040d-6c67-4c5b-b112-36a304b643ad",
  "azp": "edeb4b7d-9cac-4f3b-a21d-ead77993689e",
  "scp": "access_as_user",
  "azpacr": "0",
  "aio": "DYNhHjG*PSY1ceuC11yaLYcLta8zh49iA!l2UCbCsH9QlaUkEHVQ4paQFRmb!qv7J6yTbAQItGWDgCW9UgUipz4Xnma*DOkFFDNIZ5lkffThD*ie91XMzZIoPhUPwNHOt5dLrw3VASE2WCvJfvDFOQk$"
}

Am I doing something wrong? Is there any other way to authorize the logged user in a SPA Application, return the token with the roles and groups and send it to the Web Api?

FullMdM
  • 31
  • 3
  • I've faced this issue many times. Your API needs to retrieve the groups and include in the token. – Thiago Custodio Aug 12 '20 at 19:27
  • take a look on this https://stackoverflow.com/a/60022121/1384539 – Thiago Custodio Aug 12 '20 at 19:28
  • You have to define the roles in the Manifest json. App Registration / Manifest. Here is a (bit old) tutorial how to create and assigns roles https://joonasw.net/view/defining-permissions-and-roles-in-aad – Zsolt Bendes Aug 12 '20 at 19:41
  • @ZsoltBendes I already added the roles to the Manifest and assined them to the users, but they are not returned in the Token after the login. – FullMdM Aug 12 '20 at 19:53
  • @ThiagoCustodio that link is not very helpful as I am trying to retrieve the roles and groups from a SPA application and not from a Asp Net MVC. – FullMdM Aug 12 '20 at 19:55
  • @ThiagoCustodio does not matter if it is a SPA or server side request. You can request a token from client and from server side as well. If you already have the code to fetch a token from AAD you just need to edit the manifest and assign the user to the role. The token will have a new array with roles in it. – Zsolt Bendes Aug 12 '20 at 20:09
  • usually it will be empty as a user can have multiple groups and the token has a fixed length. You need query it from Azure ad – Thiago Custodio Aug 12 '20 at 20:11
  • Please refer to this [sample](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/tree/master/chapter1) it may help you – Sruthi J Aug 12 '20 at 20:22
  • Hi is this issue been resolved? Do you still need help? If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work. This can be beneficial to other community members. Thank you. – Allen Wu Aug 21 '20 at 06:42

2 Answers2

0

You should add the App Role into the manifest of the service app (TodoListAPI) rather than the client app (TodoListSPA).

Don't forget the assign the App Role to the users.

This should be able to fix your issue.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
0

Hi You need go to azure ad -> app registrations -> your app -> taken configuration -> Add Groups Claim -> then select Security groups checkbox. Save. Then log out log in again and should be in taken under groups.

Borko Stankovic
  • 11
  • 3