As the title, i'm trying but still found no solution. This is flow: User <-> Blazor.Client <-> Blazor.Server <-> External APIs.
- Blazor.Client: MSAL Authentication
- Blazor.Server: MicrosoftIdentityWebApi Authentication
Can I use my custom Claim server to provide Permission claims to authorize users after they logging in successfully at Azure AD?
Thank you!
Below is my idea about authorization:
- Each Role has collection of Permissions: Contact.Read, Contact.Create, Posts.Create, Posts.Read, Posts.Detele, etc....
- Each User has 0-many Roles.
- Each Role can be assigned to 0-many Users.
- Each Action/Controller in Blazor.Server, and each Component in Blazor.Client is authorized or rendered by using current User Permissions.
I have searched and read many blogs, but i can do nothing except logging in at login.microsoftonline.com then redirect to my app.
After hours of searching and working, i decided to use Backend For Frontend pattern to handle user authorization. For custom claims to handle security role, i injected OpenIdConnect & Cookie to Server service to connect to Azure AD first, then add more claims when options.Events.OnTokenValidated event of AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options)