I am trying to understand Authorization filters using Azure AD(Entra ID) for Authentication and Authorization. I have three roles created in Azure with users assigned to those roles. The app is successfully using Azure for Authentication but the Authorization isnt working.
When I go to https://localhost:sslport/ and https://localhost:sslport/Dashboard it allows all three users access after authenticating agains MS. But if I go to https://localhost:sslport/Dashboard/Settings, https://localhost:sslport/Dashboard/Administrator or https://localhost:sslport/Dashboard/Poweruser I get access denied.
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "qualified.domain.name",
"TenantId": "d1d5fe91-a895-45d7-964a-8ae51ff19d03",
"ClientId": "ac748c0f-f4f1-4351-b317-977d2edb81e1",
"CallbackPath": "/Signin-oidc",
"SignoutcallbackUrl": "/Signout-oidc"
},
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace AzureADRoles
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Administrator"));
options.AddPolicy("RequirePoweruserRole", policy => policy.RequireRole("Poweruser"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// Set RoleClaimType to "groups" to use Azure AD groups as roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages()
.AddMicrosoftIdentityUI();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapRazorPages();
});
}
}
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Linq;
namespace AzureADRoles.Controllers
{
//[Authorize(Roles = "Administrator,Poweruser,User")]
public class DashboardController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Policy = "RequireUserRole")]
public IActionResult Settings()
{
return View();
}
[Authorize(Policy = "RequireAdminRole")]
public IActionResult Administrator()
{
return View();
}
[Authorize(Policy = "RequirePoweruserRole")]
public IActionResult Poweruser()
{
return View();
}
}
}
I trust you are trying to realize role-based access control(RBAC), we had a sample here.
We firstly need to have the Azure AD roles and assign to different users, then define and use the policy in the application.
Create Azure AD roles and assign users or groups to this role.