I registered app: test
Added App Roles:
Added User with Roles
Added Api Permissions
But I don't see any roles-related claim in this list:
This is my BE code:
builder.Services.Configure<MvcOptions>(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole(Roles.GlobalAdmin)
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
If I remove RolePolicy, everything is fine, but when I add this role police the application declines my request. This makes sense because I don't see any roles in the token.
This is my token:
{
"aud": "c46ccd9d-xxxxxxxxx",
"iss": "https://xxxxxxx",
"iat": xxxx,
"nbf": xxxx,
"exp": xxxx,
"aio": "xxxx",
"azp": "xxx",
"azpacr": "0",
"email": "[email protected]",
"family_name": "xxx",
"given_name": "xxx",
"name": "xxx",
"oid": "xxx",
"preferred_username": "[email protected]",
"rh": "xxx",
"scp": "User.Access",
"sid": "xxx",
"sub": "xxx",
"tid": "xxx",
"uti": "xxx",
"ver": "2.0"
}
How can I include roles in the token?
I registered app: test
Added App Roles:
Added User with Roles
Added Api Permissions
But I don't see any roles-related claim in this list:
This is my BE code:
builder.Services.Configure<MvcOptions>(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole(Roles.GlobalAdmin)
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
If I remove RolePolicy, everything is fine, but when I add this role police the application declines my request. This makes sense because I don't see any roles in the token.
This is my token:
{
"aud": "c46ccd9d-xxxxxxxxx",
"iss": "https://xxxxxxx",
"iat": xxxx,
"nbf": xxxx,
"exp": xxxx,
"aio": "xxxx",
"azp": "xxx",
"azpacr": "0",
"email": "[email protected]",
"family_name": "xxx",
"given_name": "xxx",
"name": "xxx",
"oid": "xxx",
"preferred_username": "[email protected]",
"rh": "xxx",
"scp": "User.Access",
"sid": "xxx",
"sub": "xxx",
"tid": "xxx",
"uti": "xxx",
"ver": "2.0"
}
How can I include roles in the token?
Share Improve this question asked Mar 16 at 15:33 Sergey Nikolaevich GukSergey Nikolaevich Guk 1031 silver badge7 bronze badges 2- Check this documents ,an admin assigns them to users and groups in the Enterprise applications pane. Depending on the scenario, these assigned app roles are included in different tokens that are issued for your application. For example, for an app that signs in users, the roles claims are included in the ID token. When your application calls an API, the roles claims are included in the access token. – Brando Zhang Commented Mar 17 at 2:20
- Does the user exist in the tenant? – Rukmini Commented Mar 17 at 6:14
1 Answer
Reset to default 0I agree with @Brando Zhang, if you want to get roles in the users access token if the user is assigned with roles in Enterprise application blade.
- If the user is not assigned with any roles, then you will not get roles claim in the access token.
- The roles claim will be displayed in access token when you pass scope as your API (
api://ClientID/Nameofscope). - Otherwise, the roles claim will be present in ID token if you pass any other scope like Microsoft Graph other than API scope.
Make sure that the user who are trying to sign in is assigned with role under Enterprise application:
For sample, I tried to generate access token by passing below parameters:
Make sure to pass scope as api://ClientID/.default
GET https://login.microsoftonline/common/oauth2/v2.0/token
client_id: ClientID
grant_type: authorization_code
scope: api://ClientID/User.Access
redirect_uri: RedirectURL
code: code
client_secret: Secret
The decoded token contains roles and scp claim:
Hence to resolve the error make sure that the signed in user is assigned with role under Enterprise application blade.