Want to understand OAuth Code flow where Application passes the Access_Token on user's behalf to the API to get the resources
I like to know my understanding is correct and also like to clarify my doubts further.
1) Confirm my Understanding:
In the below image, I have explained my understanding of protecting the application and api using Azure AD. I have exposed the API with the SCOPE and the Application has consumed the same through the permission module.
Can someone please confirm my understanding is correct?
2) Should we pass Role in ACCESS_TOKEN?
This is where I require someone to help me. This is a code flow where the User login into the Application and while he tries to get the Todo list, an application sends a request to the API. In this communication, an application gets the ACCESS_TOKEN for the login-in user and passes it to the request going to the API.
At the API side, we have the policy where it checks the Scope coming through IHttpContextAccessor.HttpContext.User.Identity and make sure the Claim has scp/scope and it has the right value.
Now, all are going well. The questions here are:
- Should we not have Role (User's role) in the ACCESS_TOKEN? (When I said Role - I mean User's role not Application's role)
following the link at Microsoft documentation I am getting the role in claim when user login to the Application but to call the API I have to use ACCESS_TOKEN which I am getting through TokenAcquisition.GetAccessTokenForUserAsync and it doesn't include Role. It includes SUB, userPreferedName, email and Scope kind of detail (have checked in jwt.io)
- If the answer of Question #1 is "NO, we should not" what is the way for API to check the user's role and give the result? Is that something we need to stuff in SCOPE only?
To give better context, I have added my Azure Configuration as well here.
- Confirm my Understanding:
Based on your screenshot, your understanding is basically accurate.
Microsoft identity platform issues you an access token after you sign in, and then you use this access token to call your web API. The API will validate the access token and the permissions / roles, which determines whether you can access its data.
This Protocol diagram is clearer for your understanding.
- Should we pass Role in ACCESS_TOKEN?
Firstly, the link you shared is related to Application Roles. But you are not talking about that. What you are talking about is the AAD role (eg. Global admin, Group admin). Correct me if there is any understanding.
Honestly, AAD role should not be included in the access token because it's meaningless. To access your web API, you should define your own roles to control the permissions of users. AAD roles only work when you try to perform AAD or Microsoft Graph operations.
If the answer of Question #1 is "NO, we should not" what is the way for API to check the user's role and give the result?
You have found the correct guide: Add app roles to your application and receive them in the token.
You should use Application Roles. Define the User app role in the Azure AD app which represents your API and assign your users to the role. Then your API can check the user's role by verifying scopes and app roles.
There is another method to control the user's role: using Group Claims which is also mentioned in the link you shared. The detailed steps are listed here.
- Azure App Service Plan CPU Spikes to 100%
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- Submitting jobs with different parameters using command line databricks
- The app build failed to produce artifact folder Angular Azure Static Web App Deployment Issue
- azure function .python_packages missing
- Redeploy .NET Aspire project after resource cleanup
- Access Azure App Service with Client ID & Secret
- Download all files from Azure storage account
- Azure Frontdoor is Overwriting XFF header
- Azure pipeline stopped giving installable MAUI app
- How access Azure APIs
- functionTimeout not working in local.settings.json Azure Function in my local machine
- How do I display Azure Deployment Center log history in Grafana
- Azure Functions in .NET 7 (isolated) published to Azure, 0 functions loaded
- Unable to connect to the server: getting credentials: exec: executable kubelogin not found
- Split multiple tables from a single sheet in excel using data flows