Search code examples
c#azureazure-active-directoryowinowin-middleware

Azure Active Directory | Roles based authorization

I have tried various authentication scenarios of Azure Active Directory across internet. All examples are focused only on Authorization by Authentication. I was looking for Authorizing the user based on Roles from my AAD App Registration.

Auth() Scenarios,

For example,

..\Controller\ArtistController.cs:

public class ArtistController : ApiController
    {
        [Authorize(Roles = "Admin, InternalAdmin")]
        public void Post(ArtistModel model)
        {
            // Do admin stuff here...
        }
    }

..\App_Start\Startup.Auth.cs [Not working]:

public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        SaveSigninToken = true,
                        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
                        RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                    }
                });
    }

..\App_Start\Startup.Auth.cs [Working]:

public void ConfigureAuth(IAppBuilder app)
{
    app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ConfigHelper.ClientId,
                Authority = ConfigHelper.Authority,
                RedirectUri = "<<Home_Url>>",
                PostLogoutRedirectUri = ConfigHelper.PostLogoutRedirectUri,

                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    NameClaimType = "upn",
                    RoleClaimType = "roles",    // The claim in the Jwt token where App roles are provided.
                },

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    AuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.Redirect("/Error/ShowError?signIn=true&errorMessage=" + context.Exception.Message);
                        return System.Threading.Tasks.Task.FromResult(0);
                    }
                }
            });
}

I understand that OWIN can wire any middleware to handle incoming http requests. Auth Middlewares like OpenId, WindowsBearerToken,...

Is UseOpenIdConnectAuthentication() the only correct middleware to authorize web resources by roles over UseWindowsAzureActiveDirectoryBearerAuthentication() based on this example?

Please suggest.

Solution

  • Yes, OpenID is the only middleware that will work for this. There is no alternative at this point to OpenID Connect.

    I found the best way to set the roles is to add these roles in the manifest and then hard code the logic to give different permissions to different users.

    This is the best sample that I have found for this so far. You just need to add the connection string to Azure SQL for it to work. https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims