I would like to use Roles in Azure AD. I have almost everything working, including Roles configured in the AppRegistration Manifest, etc. On breakpoint, I do see a claim "roles":["MyAdminRole"]
I am trying to apply authorization on the ApiController method:
[System.Web.Http.Authorize("Roles="MyAdminRole")]
public void PostMyMethod(){}
The owin startup looks something like this:
var issuer = "https://sts.windows.net/MyAzureAppServiceGuidFromAuthProperties/";
var secret = TextEncodings.Base64Url.Decode("AzureAppServiceAuthSecret"); //have tried using the encoded value of my Azure Secret here as well
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "MyAppIdGUID"},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
},
TokenValidationParameters = new TokenValidationParameters
{
//this should set ClaimsIdentity.RoleClaimType to "roles", so it finds the "roles" claim during ClaimsPrincipal.UserInRole("")
//in the Mvc Controller example, it behaves this way, but in my ApiController, this is being ignored.
RoleClaimType = "roles"
}
});
The request is coming from an Angular-adal app, and includes a Authorization: Bearer JWT_TOKEN. The token decodes on https://jwt.io, although it says "Invalid Signature" even when I enter my Azure App's Secret from AppService/Auth/AzureAD properties. In the decoded token I do see the audience and issuer are what I expect, and I see the "roles" claim having ["MyAdminRole"].
On a breakpoint in the method, if I inspect the private m_identities
((List<ClaimsIdentity>)typeof(System.Security.Claims.ClaimsPrincipal).GetField("m_identities", System.Reflection.BindingFlags.NonPublic|System.Reflection.BindingFlags.GetField|System.Reflection.BindingFlags.Instance).GetValue(User))[0]
the ClaimIdentity.RoleClaimType values equals System.Security.Claims.ClaimTypes.Role, ie: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and User.IsInrole("MyAdminRole") returns false, presumably because the User.Claims role key is "roles", ie: they don't match.
To contrast, from working with jmprieur's azure sample active-directory-dotnet-webapp-roleclaims(https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-roleclaims/), which is using OpenIdConnectAuthenticationOptions, at breakpoints in the Controller methods, the ClaimsIdentity.RoleClaimType has the value "roles", and User.IsInRole("MyAdminRole") returns true, presumably the ClaimsPrincipal.IsInRole is finding the "roles" claim because the ClaimsIdentity.RoleClaimType "roles" matches the User.Claims key of "roles".
How to I get the ClaimsIdentity.RoleClaimType to be "roles" so that ClaimsIdentity.IsInRole("MyAdminRole") to return true so that Authorize("MyAdminRole") will pass? Is it that JwtBearerAuthentication is not constructing the ClaimsPrinciple, something else is, and that something is setting ClaimsIdentity.RoleClaimType to "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"? And, how do I know if the app.useJwtBearerAthentication is even being applied to the request? I don't see any event where I could log that it is being invoked.