I have a simple ADAL.js 'spa' app based on this sample. It is calling an API that is part of the same solution (so, I don't think this is a CORS issue, we're all in the same domain here.. same app)
I set up some custom roles in my AD tenant's app's manifest file. I associated those roles with some test user accounts. When I run my sample and login, it reflects back to me user token values that show that the correct role has been applied to whatever test user I decided to login with...
When I make calls to the API where we've just simply used the [Authorize] attribute, everything is fine.
For example, this decorated controller, works fine:
[Authorize]
public class ValuesController : ApiController
{
// GET api/values
public IEnumerable<string> Get(){...omitted....}
}
However, this gives me a 'denied' response (literally: Authorization has been denied for this request):
[Authorize(Roles = "AdminAccess")]
public class ValuesController : ApiController
{
// GET api/values
public IEnumerable<string> Get()(){...omitted....}
}
What am I doing wrong? Seems to fail when deployed to Azure, as well as locally
Here's my Startup.Auth.cs class:
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app) {
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
});
}
}
}
You need to define which claim contains the roles. Here is an example:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions()
{
Tenant = Tenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ValidAudience,
RoleClaimType = "roles"
}
});
This causes the middleware to map values in the claim "roles" to roles for the principal it creates.