EntraID: how to pass application roles downstream
I am working on an SPA (Blazor wasm), that uses AzureAD/EntraID with "authorization code flow".
The app is hosted in an ASP.NET Core 8 Web API service, that exposes some simple APIs for now. I have configured the app to request and attach downstream access token (based on this). The access token is reaching the endpoint. So far so good.
But I also want to use application roles. I have configured them, and I do get them in the ID token (just for reference). But I need those roles on the backend side as well.
How can I include that (or any other claim for that matter from the identity token) into the downstream token?
[Update]
I have figured it out. The issue was that I requested the access token to something else. I had to do the following:
- "exposed an API" for that application,
- define a scope for that API
- assign and approve that scope as grant
- update the default access token scope in the options to the newly created one.
And now the roles are included in the access token because the token is intended for the same application. Indeed, roles unknown to the other API are useless to include.
To get app roles in the access token, check the below:
Expose an API and add scope in the Microsoft Entra ID application:
Created App role:
Grant API permissions as below:
In the Enterprise application, assign a user to this app role:
For sample, generated tokens for the API via Postman by using below parameters:
POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
client_secret:ClientSecret
scope:api://xxx/.default
code:code
redirect_uri:https://jwt.ms
When I decoded roles claim is displayed in the access token:
If still the issue persists, check below:
- Make sure you are generating the token for the application where roles are created as roles are unknown to the other API to include it in token.
- Expose an API, add scope and pass the scope to generate the token.
- Check if the user is assigned with role.
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services
- port 7071 is unavailable. Close the process using that port, or specify another port using --port [-p]
- Azure - RBAC to Management Group
- Why is AVD remove client's maximize to current display option grayed out?
- Azure get EID List with API
- Synchronise Azure files to blob store
- trigger logic app from Azure Service bus in sequance