Search code examples
c#asp.net-coreactive-directoryazure-active-directoryazure-ad-graph-api

Azure AD v2 roles not included in Access Token

I'm using https://login.microsoftonline.com/.../oauth2/v2.0/token to authenticate (authorization_code grant) to azure Ad using the scopes: offline_access, openid, profile, User.Read

According to the documentation the Access Token I receive should contain the roles of the user: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens

However only the identity token returns the roles:

--Access Token
{
  "typ": "JWT",
  "nonce": "IWTwK2P0vzHoNnv1vvvSsjZSbAYPpSIk8MozY0A4WR0",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "scp": "User.Read profile openid email",
...
}.[Signature]

--Identity Token
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "roles": [
    "MyApp.Read",
    "MyApp.Admin",
    "MyApp.Write",
  ],
...
}.[Signature]

Is there a way to make the access token also include the roles?

Solution

  • Thanks to @juunas for the tip, @juunas is right. If you are using a custom api, the user token can also contain roles claim.

    You need to create two applications in Azure, one representing the client application and the other representing the api application, and then use the client application to call the api application.

    First, you need to expose the API of the back-end application protected by Azure and add the client application:

    enter image description here

    Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

    enter image description here

    Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

    enter image description here

    Next, go to the client application, give your client application access to your backend api:

    • Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
    • Find your backend application and select the appropriate scope.
    • Click 'Add permissions'.
    • Grant admin consent for your APIs.

    Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

    enter image description here

    Parse the token, it contains both scp claims and roles claims.

    enter image description here

    Additional step

    As mentioned by @Ekkelenkamp in the comments, another step that may be required to show the roles claim in the access_token is to remove "emit_as_roles" from the "optionalClaims.accessToken" configuration in the server's app registration manifest:

    enter image description here