none
RBAC Not Returning Roles in Bearer Token

    Question

  • I'm using the Azure AD Basic tier with an ASP.NET Core API, I've followed the RBAC sample. I've set up an application with roles in my manifest like so:

        appRoles": [
            {
              "allowedMemberTypes": [ "User" ],
              "displayName": "Read Device",
              "id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
              "isEnabled": true,
              "description": "Can read a device.",
              "value": "read_device"
            },
            ...
        ]


    I've setup my API to use the `UseJwtBearerAuthentication` middleware like so:
    application.UseJwtBearerAuthentication(
        new JwtBearerOptions()
        {
            AuthenticationScheme = "Azure Active Directory",
            Authority = options.Authority,            
            Audience = options.ClientId,            
            TokenValidationParameters = new TokenValidationParameters()
            {                
                RoleClaimType = "roles",                
                ValidateIssuer = false            
            }        
        })
    I've given my user the above 'Read Device' role:



    I'm using Swagger UI to make the call to get the auth token. It calls the following URL:

        https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
            response_type=token
            &redirect_uri=http%3A%2F%2Flocalhost%3A5100%2Fswagger%2Fo2c.html
            &realm=-
            &client_id=[Client ID]
            &scope=http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
            &state=oauth2
            &resource=[Client ID]


    I suspected that I am not passing the correct values to the `scope` parameter, so I have tried asking for every `scope` I can think of:

        &scope=openid
            %20email
            %20profile
            %20offline_access
            %20user_impersonation
            %20roles
            %20http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
            %20read_device


    If I set `"groupMembershipClaims": "All"` in my manifest I can see group claims but I want roles instead. I'm able to login to call my API, however I never get any roles back in my JWT token, so I'm unable check the users role. What am I doing wrong?

    Rehan Saeed



    Tuesday, March 14, 2017 12:10 PM

All replies