Azure AD Authorize Role throws 403 Forbidden Error .Net Core 3.1 WebApi

Question

I tried the Role based Authorization in my .Net core 3.1 webapi using Azure AD. The issue is happening only when I specify Policy or Role in the Authorize attribute:

[Authorize(Policy = "p-web-api-with-roles-user")]
[Authorize(Roles="User")]

My controller:

[Authorize(Policy = "p-web-api-with-roles-user")]
public class BaseController : ControllerBase

ConfigureServcices in startup.cs:

        services.AddAuthentication(rootOptions =>
        {
            rootOptions.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
            rootOptions.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
        })
           .AddJwtBearer("AzureAD", options =>
           {
               options.Audience = configuration.GetValue<string>("Authentication:AzureAd:Audience");
               options.Authority = configuration.GetValue<string>("Authentication:AzureAd:Instance") +
               configuration.GetValue<string>("Authentication:AzureAd:TenantId");
               
               options.TokenValidationParameters = new TokenValidationParameters
               {
                   ValidIssuer = configuration.GetValue<string>("Authentication:AzureAd:Issuer"),
                   ValidAudience = configuration.GetValue<string>("Authentication:AzureAd:Audience"),
                   RoleClaimType = "roles",
                   NameClaimType = "name"
               };
           });

        services.AddAuthorization(policies =>
        {
            policies.AddPolicy("p-web-api-with-roles-user", p =>
            {
                p.RequireClaim("roles", "User");
                
            });
            policies.AddPolicy("p-web-api-with-roles-admin", p =>
            {
                p.RequireClaim("roles", "Admin");
            });
        });

My JWT looks like below:

{
  "aud": "f9ea4dcd-50f9-4bba-93ef-6514be396e98",
  "iss": "https://login.microsoftonline.com/b4f51282-6eb2-4a8b-ae76-6632f8c4936a/v2.0",
  "iat": 1643822217,
  "nbf": 1643822217,
  "exp": 1643826117,
  "aio": "AZQAa/8TAAAAOt6II6GXwVFVT8flEfLQBtBoG2nknE+AX4UCIYqyyXSxPw0Go6kECzgwaILMsxs4hgZBiiYz+Ovt6GzkrCAvA64tqYOEhlPbSjCk2+n/J84MTxS7OsdxWIrpRNzvCDTihvLfkxL7zBU9UU5069Dxgnj2dkBgqlI06g0YAvGrTHfLei3ym5iEe8NpUIsnBhBX",
  "idp": "https://sts.windows.net/cc994933-7128-4222-9d36-3e7f4fd81608/",
  "name": "Abhilash CR",
  "nonce": "8ce4cb72-f322-46a6-937c-d526fc2be1f1",
  "oid": "aefdda8f-f83f-4ace-8316-4e47d82c0d27",
  "preferred_username": "[email protected]",
  "rh": "0.AQ0AghL1tLJui0qudmYy-MSTas1N6vn5ULpLk-9lFL45bpgNAEk.",
  "roles": [
    "User"
  ],
  "sub": "B5soMutWa-fYNNShKCKA2QmNYi555yzTGGSScuMMfKg",
  "tid": "b4f51282-6eb2-4a8b-ae76-6632f8c4936a",
  "uti": "lazPqCkyIEioN0MHpycgAA",
  "ver": "2.0"
}

I am not sure what mistake I am making here. Simply keeping the [Authorize] attribute is not validating the roles. I want to validate the roles.

Answer 1

I had a similar issue and it turned out that the claims in the user principle were being renamed.

So the collection “roles” in the JWT token was being converted into multiple claims of type

"http://schemas.microsoft.com/ws/2008/06/identity/claims/role".

You can specify the role claim type in your TokenValidationParameters as follows:

jwtOptions.TokenValidationParameters.RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";

Or you can stop the claims being renamed using

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear() 

but this could cause issues if you have other logic which relies on the renamed claims types.