0

I have a WPF desktop app which connects to an Azure registered app. Within that registered app I have created App roles. Then, within an Azure Enterprise App, I add a user with one of the app roles created in the app registration. However, I can't figure out how to use this app role. I can't seem to access the role from the JWT token returned during authentication nor can I seem to use the role to modify access in Azure.

How can I use the app role to modify access?

Intensivist
  • 767
  • 2
  • 7
  • 19
  • Please provide details about how you define your app role and how you assign it to a user and what is the decoded result of the id token if my answer doesn't solve your issue. – Allen Wu May 27 '21 at 01:50

1 Answers1

0

Firstly, your WPF app doesn't call any APIs (official API or you own Web API) based on your description.

And you define the app role in the app registration which represents your WPF app. We can call it client-side app although there is no service-side app here.

So in this case, the app role should exist in the id token (not access token).

You need to parse the id token in your code and find the app roles and then verify them.

There is another situation where you are actually calling some kind of API, but you did not mention it in the post.

In this case I think you want to get and verify the app role from access token. We need to define the app role in the app registration which represents the service-side app.

There again are two situations.

One is that you are calling an official API, such as the Microsoft Graph API. This situation will not allow you to set the app role on the service side because we do not have the permission to change the official Microsoft Graph app registration. You need to take advantage of app roles from id token as introduced above. But usually we don't control the permissions like this because Microsoft Graph has its own permission control method.

The second is that you are calling your own Web API hosted on Azure. We call it AAD protected Web API. In this case you need to create an app registration which represents your Web API by following Protected web API: App registration and define the app role in this app registration and assign the app role in enterprise application which is associated with this app registration.

After that you can get the app roles in access token and verify them by following Protected web API: Verify scopes and app roles.

Although I have explained all these situations, this may not solve your issue.

It looks like your situation is the first one. You can first decode your id token in https://jwt.ms to determine whether app roles exist.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thanks. So, I did not mention it but I do make a call to my own web api within the same tenant. My client side WPF app gets an AuthenticationResult which has both an IdToken and AccessToken. I then make a call to the web api with the AccessToken. I will read the two links you suggested in "Protected Web API". You suggested parsing the IdToken. From the client side, I don't see a way to get to the Roles as the IdToken is of course not readable. There may be a function (like for the api) to verify a role within the IdToken? – Intensivist May 27 '21 at 12:03
  • This https://jwt.ms was very illuminating but I would like to be able to do this in my client side code. From there I'll tackle the web api – Intensivist May 27 '21 at 12:13
  • @Intensivist If you have your own web api, you should verify the app role from **access token**. I don't think you need to parse the id token from client side. But if you insist, you can refer to [this answer](https://stackoverflow.com/questions/38340078/how-to-decode-jwt-token?answertab=votes#tab-top) (using C#) . It should apply to access token and id token. – Allen Wu May 27 '21 at 12:53