DEVHIDE
Login Or Sign up

Azure AD v2 - roles not included in Access Token

115 Views Asked by At

following the same issue already asked in stack overflow( Azure AD v2 roles not included in Access Token). i have tried the solution but it is not working for me. ( https://stackoverflow.com/a/66348704 ).

Roles are not part of access token/ ID token Frontend Client is built using Angular. Backend using NodeJS. followed the tutorial and cloned official github projects.

i have registered both applications and configured them correctly. i am using external public accounts not organizational accounts, i invited a user from azure entra and made gave him admin role

Added Scopes for my node app enter image description here

Added Role for my node appenter image description here

Assigned role to user enter image description here

{ endpoint: `http://localhost:5000/api/ scopes: { write: [ "api://[node-application-Id]/TimeSheetTemplate.ReadWrite" ] } },

Request URL: https://login.microsoftonline.com/common/oauth2/v2.0/token Request Method: POST Status Code: 200 OK Remote Address: 40.126.18.33:443 Referrer Policy: strict-origin-when-cross-origin

Payload

client_id: [angular-application-Id] scope: api://[node-application-Id]/TimeSheetTemplate.ReadWrite openid profile offline_access grant_type: refresh_token client_info: 1 x-client-SKU: msal.js.browser x-client-VER: 3.7.1 x-ms-lib-capability: retry-after, h429 x-client-current-telemetry: 5|61,0,,,|@azure/msal-angular,3.0.11 x-client-last-telemetry: 5|0|||0,0 client-request-id: [angular-application-Id] refresh_token: M.C105_BAY.-Cgu4NLSGJ8NnC8QMdz6Vv8ZHK0rLZZHkUQOvQJoeoYPxAxdIhn3oGpn6CNhwkTtFHI!7AXK0GabGzI7NmLXNUeL37zVwyWGUdQyAElqMK4nxSp8jVmr2ibLQUVHXdkDcrQJRYhCjSDE0QqpNhfJPmSUulFSMLG8FtaTKr5eEFFmPshJGLZI1wP7b78m0UMnzgA4o!89UhUnNiFuToC13ndifFa1z5n3XroZMXbinKIN!dv!uEKXWl6fDxTtgRKSeyG6wayLhcDOSMZP6YATq0StwiGVQCfitbsOKOd0ucYTNlBWiBTQaouk9fUQfITMwXh2h8qu8SRU7mRNo80oS8$ X-AnchorMailbox: Oid:00000000-0000-0000-d8db-351d7555e529@9188040d-6c67-4c5b-b112-36a304b66dad

Response

{

"token_type": "Bearer", "scope": "api://[node-application-Id]/TimeSheetTemplate.ReadWrite api://[node-application-Id]/TimeSheetList.ReadWrite api://[node-application-Id]/TimeSheetList.Read", "expires_in": 3600, "ext_expires_in": 3600, "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJTcG9oaDl5Mm1lNTJuS3JoYWk3R3hXSmliVSJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFFOGJSd3JzS2UxSVI0am9aQWc4Y1BvIiwiYXVkIjoiZjBmYmJjNmQtMDMwNy00NDhjLTgxNmItYWY1NjE0OWFjNzA3IiwiZXhwIjoxNzA3MzI0NDgwLCJpYXQiOjE3MDczMjA1ODAsIm5iZiI6MTcwNzMyMDU4MCwibmFtZSI6IkFiZHVsIEtoYWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFiZHVsa2hhZGVyNDEyM0BvdXRsb29rLmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC1kOGRiLTM1MWQ3NTU1ZTUyOSIsInRpZCI6IjkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsImF6cCI6ImRhYjc1NjMwLTY2NmQtNDJkMi05ODYzLWE0MzBhZDZhMzE3OCIsInNjcCI6IlRpbWVTaGVldFRlbXBsYXRlLlJlYWRXcml0ZSBUaW1lU2hlZXRMaXN0LlJlYWRXcml0ZSBUaW1lU2hlZXRMaXN0LlJlYWQiLCJhenBhY3IiOiIwIiwidXRpIjoiTWc2U0ZQUXJzRTBwMjRzQUFBQUFBQSIsImFpbyI6IkRpNUgqeHlibDF0YTQ3REtpazYhaEtaVTh0VDhaQUtNUnhjZSpsQ0FORXh0WkNyOVVsU2hYU2l2MzFreUpRdXJtZ09BOTR6VXp5eGVvcTFoZXY5clltQjJKc2U5MHQ1MFNwSmVJR2pGYXdNWTBDV0JiaERtdlRsOEJtMio2bzFHSklUUWdpZThsejVkeE5mamxJQVBlOUkkIn0.ez3vQ4d4M7D2J-AyYzMFZze3_DQn2_XuG31YB6TEvSqhUrT--cObM0D-xcjQsD5PXR78lzYTM1e6JjIaV1CdUPLHBei38gaQFwLG9xJ9uFK3lKpV3Ba9jDm8D8GU2uku20JWivC457Uuo1f0UfXavKknVUnA3yy7hPr_iKhqAk2Fg9w20-CCDvWVM0fX9yPnfOlJYnhwm4g5uyOifnPUXy4ifxX38z68IgBrJxW3FQw7PXkorWQJOsgm9Cd65GhJJWQhkMTT0uvfaQEiiBAZ_ftLWheqb9ThG-jE-KnBfUzIjKJX4GK8KeOFe8CvKhx0F_RVa1CX5OKz7Csa2UESnw",

"refresh_token": "M.C105_BAY.-CpkCvUofwIkM8zmuBL42sAjbAWHHVUoqhz2qCiiLbkqR!al0jWy9JUEpiLi8Jl2GYqYeNHfME6upOKjAHiHJM1lnubg5GjSVqzAj51RPfpG9Da0cYqVhvmRhqyi07JErjhWvMAbrzPtVJ4am91J0NE1rhY55WAxx1QnLk8ug5tG6ETAzWlV9RSW4OJ4vHVMsGZ**1yq1y7wMR6Xja6mqGERwkJlpoYSccuielViJeYYz5FFJ1YcfaUrkvl0Ahv722h7NxShRQWrgvibtY9c6tHRL0y4GGaEKdy4ElAJpvGtfMaGMQ!z89A!c0!mqtGZRtvIJeMdJNsQmfo0DBFfYmXc4iIU95M1Nlz8zVXZGz8E9TrXiR4NTZZLlQ8p0xZdWHe*ODZku2Rh0HpDRvmeAHU!FbUeAO!SDFDojVc", "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJTcG9oaDl5Mm1lNTJuS3JoYWk3R3hXSmliVSJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFCbEFoR04tNkNqbDE5N3luTWg0d3NzIiwiYXVkIjoiZGFiNzU2MzAtNjY2ZC00MmQyLTk4NjMtYTQzMGFkNmEzMTc4IiwiZXhwIjoxNzA3NDA3MjgwLCJpYXQiOjE3MDczMjA1ODAsIm5iZiI6MTcwNzMyMDU4MCwibmFtZSI6IkFiZHVsIEtoYWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFiZHVsa2hhZGVyNDEyM0BvdXRsb29rLmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC1kOGRiLTM1MWQ3NTU1ZTUyOSIsInRpZCI6IjkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsImFpbyI6IkRrYmxFT2Z4aktXUVUhOG9mNVRaMDkxWm15S3FWZEpBODFIc1BoKkZkd2xMY1VQSVpzRndFMkRxMio2WDM3WUVEKmpoY3V2RWtwaHpGWFBDMTNzTlNpd0lrME1xTWhUSUo4WUtOQ0RMNjVsdEY3OTFmc0NzcHAyc2FEVEZZRW5SMUVBZ2I2WE9zdXpSVzBvZkVCUWpFOGskIn0.XGzplVHMJL2xyNKSRJnkcA4QLiDtth-Wc7MzLIpLMLPUohmLIOY-_2Y3Kujq3r6k6uhn2CoEi3I_4F3ENyyWb4VihsSdETMwstc8_bc7EygHLcG9nS_o0cb-D9W-6L0D_dpPR0ZbhWzvH6Z_Ek762xGdiG7lNwTje-EQdiwtZODDhyMPhTavIZz5shcjLwa0ctBjuqgZamzVnZqYcDzbnQHMzaeVuhQe10cGLKGCRLmKq3ZeZDmHzfSfqM_cocwyTDd7mrxmhliP-nUJ5qhMVFoY9hunYlhSDXyCUMFlnQijgftr_AzPCx1eRPzaLHX5yfo9miJwl-MT68Edx2F5CA", "client_info": "eyJ2ZXIiOiIxLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFCbEFoR04tNkNqbDE5N3luTWg0d3NzIiwibmFtZSI6IkFiZHVsIEtoYWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFiZHVsa2hhZGVyNDEyM0BvdXRsb29rLmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC1kOGRiLTM1MWQ3NTU1ZTUyOSIsInRpZCI6IjkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsImhvbWVfb2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLWQ4ZGItMzUxZDc1NTVlNTI5IiwidWlkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLWQ4ZGItMzUxZDc1NTVlNTI5IiwidXRpZCI6IjkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCJ9" }

i added roles to a user and expected it to be part of access or id token

azure-active-directory azure-ad-msal azure-entra-id
Original Q&A
1

There are 1 best solutions below

0
On

I created a test app role:

enter image description here

And Exposed and API and added scope like below:

enter image description here

Now In Enterprise application I assigned the app role to the user:

enter image description here

Make sure to grant admin consent to the roles and scope:

enter image description here

Generated auth-code:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://ID/.default
&state=12345

enter image description here

Generated tokens like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID  
scope:api://ID/.default openid offline_access
grant_type:authorization_code  
code:code  
redirect_uri:https://jwt.ms
client_secret:Secret

enter image description here

When I decoded the access token roles and scp is present:

enter image description here

In ID token roles claim is present:

enter image description here

Make sure to add the API permission in the client application.

Refer this SO Thread by junnas, which states that if you are making use of separate app registrations for the client and API, you should define the role in both apps and assign the user to it on both of them as well.

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in AZURE-AD-MSAL

Related Questions in AZURE-ENTRA-ID

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.