WEB API Authorization through group membership with JWT authentication
The WEB API application is authenticated using JWT token passed by the client app. Given the token from the client app I want to perform additional check to see if the user from the token belongs to a security group using GRAPH API and authorize access to the API based on that.
Please note that, if you want to authorize user through group membership you have to make use of Authorization Code Flow to acquire the token.
Make sure to change the settings in the Portal like below:
Go to App Registration -> Your App -> Token Configuration -> Add Group Claim
Go to Manifest and update "groupMembershipClaims": "SecurityGroup" like below:
I tried to reproduce the same via Postman and generated token via Authorization Code Flow like below:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:client_id
client_secret:client_secret
scope:scope
code:code
redirect_uri: redirect_uri
When I decoded the token, Group IDs are included like below:
You can check the below code sample to check if value of Group Name exists in Sessions or in User claims:
public static bool CheckUsersGroupMembership(AuthorizationHandlerContext context, string GroupName, IHttpContextAccessor _httpContextAccessor)
{
bool result = false;
if (HasOverageOccurred(context.User))
{
var groups = GetUserGroupsFromSession(_httpContextAccessor.HttpContext.Session);
if (groups?.Count > 0 && groups.Contains(GroupName))
{
result = true;
}
}
else if (context.User.Claims.Any(x => x.Type == "groups" && x.Value == GroupName))
{
result = true;
}
return result;
}
To know more in detail, please refer below GitHub Blog for sample code:
Azure active-directory-groupclaims: .NET web app that uses Azure AD groups for authorization
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs