0

I have a react app as my client app and an asp.net api as my api. I have managed to integrate Azure ad b2c login into my client app. I can attach the acquired access token (from Azure ad b2c) to a request that will be sent to my api and this works fine. I have access to my api with and can use resources in my api.

    [Authorize]
    [Route("[Controller]")]
    [ApiController]
    
    public class StudentController : Controller
    {     
        [HttpPost]
        public async Task<IActionResult> CreateStudent([FromBody] CreateModel model)
        {
            some functions...   
        }

    }

But my question is that how I can restrict/authorize the users by claims/user group to have access to my api. I know that I can't use application/user role in Azure ad b2c But there are maybe some other solutions by claims and/or user group. I really appreciate any help :)

mohandes
  • 127
  • 10
  • About the custom claims during signing up (first point) I should say that I want to authorize a user based on what is decided in Azure ad b2c not by a user when signs up and can write anything for the role. In this point every user is able to choose for example admin/manager as the role which is not my goal. – mohandes Feb 28 '22 at 14:40

1 Answers1

1

Please check if below points can give an idea to work.

You can try to add custom attributes in the AADB2C .Later check custom claims in Azure AD B2C where the consumer can select required roles during the signup process which is later returned in the token. Please refer to documentation for more details.

If not , one may need to get group member claims from the Microsoft graph api in code configuration and try to for backend api token in code by retrieving from graph and then authorize. Something like below (see references for further details) in start up class configureservices method .

ex: Role-based-Authorization- denious/Azure-B2C (github.com)

                     // get authenticated user ID
                    var subjectId = identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                    // query user roles
                    var client = _serviceProvider.GetRequiredService<MSGraphClient>();
                    var roles = await client.GetUserRolesAsync(subjectId);

                    // add roles to identity's claims collection with the right type
                    foreach (var role in roles)
                    {
                        var roleClaim = new Claim(identity.RoleClaimType, role);
                        identity.AddClaim(roleClaim);
                    }

Please check below references for work arounds.

  1. Authorize By Group in AAD B2C - Stack Overflow or Azure AD B2C - Role management - Stack Overflow

  2. Add claims into token Azure B2C - Stack Overflow

  3. Using custom claims for Azure AD B2C roles - DEV Community

kavyaS
  • 8,026
  • 1
  • 7
  • 19