0

We are migrating an application which consists of an Angular Frontend and a ASP.NET Core 2.1 Web Api Backend running on .NET Framework 4.6.2 from on premises to Azure.

The application uses Active Directory Groups for authorization purposes.

To facilitate the migration process we would like to use the same groups which are synchronized to Azure Active Directory.

Authentication works fine but when i inspect the claims in the User Object within a Web Api Controller i can't find any group claims in it.

The only group-related claim i see in the User Object is one named "hasGroups" with the value true, but i need to know which groups the user is part of.

I know i can query AD via Graph API but i would prefer a seamless way if the service can provide this info directly.

Update: I use MSAL 1.0 and implicit flow in my Angular Frontend to authenticate the user and gain an access token to authenticate the calls to the Web Api.

Update 2: This is the configuration of the backend api:

  • I applied the following configuration in the "Token configuration" page

token configuration

  • I created a client secret in the "Certificates & secrets" page client secret

  • i created a scope in the "Expose an API" tab and added the client application to it expose an api page

  • i added API permissions api permissions

In the frontend app i activated the options for "access tokens" and "ID tokens" in the Authentication page: Authentication options in frontend app and i configured the redirect url on the same page redirect url

Update 3: I upgraded the backend to .net 5 and can still reproduce the problem (no roles in claims collection).

Markus S.
  • 2,602
  • 13
  • 44

2 Answers2

2

Per my understanding, you want to get all groups that the current login user in as token claims. Seems you are in the right direction, but make sure that you are configuring the ASP.NET Core 2.1 Web Api Azure AD application instead of your Angular Frontend Azure AD application.

I also did some test on my side and this is my token config of ASP.NET Core 2.1 Web Api Azure AD application: enter image description here

I call Azure AD /token endpoint to mock user login:

enter image description here Client ID is Angular Frontend Azure AD APP ID and ASP.NET Core 2.1 Web Api Azure AD application here is 01abd597-4b2f-478e-bbb1-6d8759099346

parse the token: enter image description here

As you can see groups claim has been added to the token.

Let me know if you have any questions.

UPDATE Request Result:

enter image description here

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • Thank you for your post! Could you elaborate what you mean by "make sure that you are configuring the ASP.NET Core 2.1 Web Api Azure AD application instead of your Angular Frontend Azure AD application" ? I just created 1 application in AD which is used by Frontend and the Web Api. I am using implicit flow to authenticate the SPA. I analyzed both ID token and Access Token but the groups array is missing. – Markus S. Mar 08 '21 at 06:59
  • When i try the request you suggested via postman (just replacing the tenant name in the path and my values in the request body) i get back 400 Bad Request - Invalid Hostname. (already doublechecked spelling) – Markus S. Mar 08 '21 at 07:13
  • 1
    @MarkusS. in this scenario, you should create 2 Azure AD apps, one on behalf of your front-end app and the other one is for your backend API. For the error you got, please share your whole request and error messages – Stanley Gong Mar 08 '21 at 07:22
  • i will try to reproduce with 2 separate apps. is this required for groups to be included? – Markus S. Mar 08 '21 at 07:48
  • this is my raw request: POST /dataformersGmbH.onmicrosoft.com/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded Content-Length: 181 client_id=e8c7c4a5-319e-4677-b0c4-8b059edf0c5b&username=xxx.yyy@dataformers.at&grant_type=password&password=xxx&scope=api://e8c7c4a5-319e-4677-b0c4-8b059edf0c5b/access_as_user (username and pwd obfuscated) – Markus S. Mar 08 '21 at 07:49
  • this is the raw response Bad Request

    Bad Request - Invalid Hostname

    HTTP Error 400. The request hostname is invalid.

     – Markus S. Mar 08 '21 at 07:50
  • 1
    @MarkusS. Yes, and for Front-end and back-end separation applications, you should register Azure AD apps to presents each application(front apps and backend APIs). – Stanley Gong Mar 08 '21 at 07:59
  • 1
    @MarkusS. It is really weird, I can't repro your issue on my side. I have appended the request result based on your description at the end of my answer. – Stanley Gong Mar 08 '21 at 08:02
  • thank you for your patience. i split up the applications (frontend and backend) but i still get no role claims. i added the complete configuration of my aad apps to the original post and also clarified that the backend is based on ASP.NET Core 2.1 running on .NET Framework 4.6.2. maybe this has some influence as well? – Markus S. Mar 09 '21 at 10:24
2

It seems to me, that the main problem was, that the user i tried to log in is part of more than 5 groups. In this case, the groups are not added to the claims but instead i only get the mentioned "hasGroups" entry. This limitation applies only when Implicit flow is used.

This StackOverflow issue pointed me into this direction.

So for cases where your users could have more than 5 AD groups, you will have to query the groups manually using MS Graph or find another place to store your groups.

Justinas Lelys
  • 542
  • 2
  • 4
  • 23
Markus S.
  • 2,602
  • 13
  • 44
  • wow, glad to know that your issue has been solved. Pls mark my post or yourself as an answer to close this question : ) – Stanley Gong Mar 10 '21 at 01:42