Is OpenIdConnect the only middleware that implements authorization in Azure Active Directory

Question

We're trying to set up authentication and authorization for our web site using Azure Active Directory.

We started with WS-Federation OWIN middleware for authentication and it worked great (according to this sample).

We then tried to plugin authorization and got stuck - both roles and groups based setup in azure active directory requires something like the following:

AuthorizationCodeReceived = context =>
                    {
                        // Get Access Token for User's Directory
                        string userObjectId = context.AuthenticationTicket.Identity.FindFirst(Globals.ObjectIdClaimType).Value;
                        string tenantId = context.AuthenticationTicket.Identity.FindFirst(Globals.TenantIdClaimType).Value;
                        ClientCredential credential = new ClientCredential(ConfigHelper.ClientId, ConfigHelper.AppKey);
                        AuthenticationContext authContext = new AuthenticationContext(
                            String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance, tenantId),
                            new TokenDbCache(userObjectId));
                        AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                            context.Code,
                            new Uri(
                                string.Format(
                                    URI_MANGLER, 
                                    HttpContext.Current.Request.Url.Scheme, 
                                    HttpContext.Current.Request.Url.Authority, 
                                    System.Web.Hosting.HostingEnvironment.ApplicationVirtualPath)),
                            credential, 
                            ConfigHelper.GraphResourceId);

                        return Task.FromResult(0);
                    }

With WS-Federation, there is no such thing as "Code" field in context.

The tenant is setup in AAD, the application is added and manifest is updated to have a couple of roles. Users are assigned to the application and given a specific role.

So, in turn we moved everything to OpenId, but question is: is this the silliest way to deal with such a requirement?

Answer 1

You can definitely get roles and use them against [Authorize] even with WS-Federation. Just follow the instructions in the readme of https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet for turning on role creation and emission for the app in azure AD. Furthermore, you have to ensure that the claim of type http://schemas.microsoft.com/ws/2008/06/identity/claims/role is used as the role type in your app. That should be the default anyway.