authenticationjwtauthorizationazure-ad-b2crole-based-access-control

Does Azure AD B2C support "roles" claim in JWT tokens for authorization?


I'm exploring Azure AD B2C in a learning environment, and I'm currently exploring a requirement related to the inclusion of a "roles" claim in JWT tokens for the purpose of authorization. My objective is to understand how to assign varying access levels and permissions based on user roles within a sample application.

Expected results:

I expect Azure AD B2C to provide native support for the "roles" claim in JWT tokens, allowing me to easily manage and validate user roles during authorization.

Actual results:

However, my research on this topic has not yielded clear information about whether Azure AD B2C supports the "roles" claim. The official Microsoft documentation does not provide recent information specifically addressing this aspect.

What I've tried:

I have thoroughly searched through various resources, including SO, Microsoft documentation, and developer forums, to find any updates or insights on this matter. However, I couldn't find concrete information that definitively states whether Azure AD B2C supports the "roles" claim in JWT tokens or offers any recommended approach to handle user roles.

Why it didn't meet my needs:

The lack of specific information has made it challenging for me to implement role-based authorization using Azure AD B2C. Without clarity on whether Azure AD B2C supports "roles" claim, I am unsure about the best approach to achieve my desired functionality.

Does Azure AD B2C support the "roles" claim in JWT tokens or is there are alternative approaches or workarounds to achieve role-based authorization within Azure AD B2C?


Solution

  • Assuming I understood your question correctly, the short answer is: No, as of today Azure Active Directory B2C does not support roles within the 'role' claim for custom applications. At least the official documentation for Azure AD B2C does not describe this feature. For more information, see this post.

    However, depending on your use case, you could use the regular Azure Active Directory. The regular version allows you to create custom roles within your application, which are sent in the 'roles' claim of the access token. Unfortunately, this will only allow your users to sign in via one of their Microsoft accounts (work, school or personal). See the documentation for this. Hence, it does not provide e.g. Social Logins via other providers like Azure AD B2C does.

    See this article for adding roles to your Azure AD application, in case using Azure AD is an option for you.