Search code examples
.netazureauthenticationadalrole

How to get Azure Native Client Application Roles?

I'm authenticating a WinForms application as an Azure Native Client with access to an Azure hosted service API. I've defined application roles on both the native client and the service API and assigned permission from the native client to the service API. This is all fine and I do get the application roles assigned to my user defined in the service API. For example, I've defined READ and WRITE roles for HTTP GET and HTTP POST operations and secured the API. However, I am not getting the roles that I've defined in the Native Client. I have defined native client roles such as 'USER' and 'ADMIN'. These roles would be used to hide/show portions of the UI. When the native client authenticates, it is specifying the native client ID and the resource ID of the service API. I understand that the token I am getting is specifically for the service, which is probably why I'm only receiving the roles for that service and not my client roles. So, how do I get my native client roles without resorting to using the graph API? The method for authenticating requires a resourceID. The native client does not define a resourceID (APP ID URI). I would have expected to receive both the client and resource application roles as I have specified both in the token request.

 UserCredential uc = new UserCredential();
            try
            {
                // This method requires a resourceId. 
                // How do I request a token for just the client that returns client app roles, or client and servcie roles in one request?
                // Azure Native Client does not define a resourceId, a.k.a. APP ID URI
                result = authContext.AcquireTokenAsync(odataServiceResourceId, clientId, uc).Result; 

                var jwt = new JwtSecurityTokenHandler().ReadJwtToken(result.AccessToken);
                String[] roles = jwt.Claims.Where(c => c.Type == "roles").Select(c => c.Value).ToArray(); // missing client roles???
                txtResults.Text = "Application roles assigned to you: ";
                foreach(var role in roles)
                {
                    txtResults.Text += role + ",";
                }
                // roles is missing the client roles, but has the service roles???
                btnSignIn.Text = "Sign Out";
                lblUser.Text = String.Format(@"{0} {1}", result.UserInfo.GivenName, result.UserInfo.FamilyName);
                lblMessage.Text = "Sign in successfull";
            }
            catch (Exception ee)
            {
                lblMessage.Text = ee.Message;
                return;
            }
Solution

  • This authentication just require permission to access the resource, so the resource ID is the resources's App ID url. So I think your code will not get native application's role. If you want to do this, I think you need graph API.