RBAC Not Returning Roles in Bearer Token RRS feed

  • Question

  • I'm using the Azure AD Basic tier with an ASP.NET Core API, I've followed the RBAC sample. I've set up an application with roles in my manifest like so:

        appRoles": [
              "allowedMemberTypes": [ "User" ],
              "displayName": "Read Device",
              "id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
              "isEnabled": true,
              "description": "Can read a device.",
              "value": "read_device"

    I've setup my API to use the `UseJwtBearerAuthentication` middleware like so:
        new JwtBearerOptions()
            AuthenticationScheme = "Azure Active Directory",
            Authority = options.Authority,            
            Audience = options.ClientId,            
            TokenValidationParameters = new TokenValidationParameters()
                RoleClaimType = "roles",                
                ValidateIssuer = false            
    I've given my user the above 'Read Device' role:

    I'm using Swagger UI to make the call to get the auth token. It calls the following URL:

            &client_id=[Client ID]
            &resource=[Client ID]

    I suspected that I am not passing the correct values to the `scope` parameter, so I have tried asking for every `scope` I can think of:


    If I set `"groupMembershipClaims": "All"` in my manifest I can see group claims but I want roles instead. I'm able to login to call my API, however I never get any roles back in my JWT token, so I'm unable check the users role. What am I doing wrong?

    Rehan Saeed

    Tuesday, March 14, 2017 12:10 PM

All replies