Entra ID roles claim missing in Token
I have an app where the Entra ID login is working fine. However, I would like to identify if the user is in a custom role defined on the App Registration.
I have added my user account to the custom role in the Enterprise Application linked to the App Registration.
The App Registration is set up with ID Token checked.
I have my program.cs with the following code:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
Yet when look at the User object, it has all my user information but no claim for roles.
Any idea why?
Claims token screenshot (URL instead of friendly name for roles, TID, etc.)
To get the Azure AD role claims in ID token, check the below:
Create App roles in Azure AD Application:
In Enterprise Application, I added the role for a user:
Now, I generated tokens via Postman using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:ClientID/.default openid
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret
When I decoded the ID token, roles are displayed successfully:
The role claims will also be displayed in access token:
Now, I tried to sign-in with the user who is not assigned any roles in the application and the role claims did not display in the ID token:
To get Azure AD role claims using ASP.NET Core web app, refer this GitHub blog by aremo-ms.
In your Startup.cs file modify the code like below:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
services.AddAuthorization(options =>
{
options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
});
}
// In code..(Controllers & elsewhere)
[Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]
// or
User.IsInRole("UserReaders"); // In methods
Reference:
- Entra ID roles claim missing in Token
- Where to store my Git personal access token?
- SvelteKit: Run function at route change (for access token, without doing it at a layout file)
- Theory of API development: why create a refresh token method instead of simply ask user to relogin?
- How to update a GitHub access token via command line
- Generating your OAuth Linkedin token : Oops. We can’t verify the authenticity of your request because the state parameter was modified
- How to automatically delete Laravel Sanctum tokens when a user is deleted?
- Keycloak API always returns 401
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- WSO2 IS 7.1.0 GA: How to Get Token for Sub-Organization User Using Password Grant
- Is silent_redirect_uri obsolete when using grant type Code
- How to get access token from API to use it in header of another API Auth 2.0
- Web API token authentication with a custom user database
- How to prevent token substitution attack?
- What's the point of refresh token?
- What is the purpose of a "Refresh Token"?
- Why does my Wix OAuth installer redirect to "undefined" instead of my redirect URL?
- Is there any way to hide the mapbox access token when initializing the map?
- How do I persist the the user with supabase using nextjs?
- Python Script Token Refresh Mechanism Problem for Spotify API
- Keycloak Account API returns Unauthorized 401 with token from user logged in via my spring client
- Signature validation of my Azure access-token, Private-key?
- Azure generation token invalid signature
- Is is safe to store access token in session storage of client browser?
- AWS API Gateway Access vs Id Token
- Microsoft App Registration - how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?
- The type or namespace name "IRestResponse" could not be found (are you missing a using directive or an assembly reference?)
- Azure Synapse time out - Token expire
- Microsoft Azure: How to get the Auth Token after SAML authentication on a enterprise application
- Do Google refresh tokens expire?