Duende.BFF (AAD) get roles in the API roles in the frontend

I'm using Duende.BFF with AAD. I have two app registrations, one for the BFF and one for the API it does access. The API defines scopes and user roles.

This works fine, but now I need to deliver the roles of the user to the FE to render components based on it.

What is the best practice to do so?

All of the following doesn't seem tempting:

1. Define the roles in the bff app reg as well. This works, roles are returned in the bff/user endpoint. But has the huge downside of duplicating the roles.

2. Create a /bff/roles endpoint and request the API to get roles

3. Create a /bff/roles endpoint and try to parse the access token (if there is any for the API) and return it.

So again: What is the best practice to do so?

Thank you!

To deliver the roles of the user to the FE to render components based on it make use of access token generated by Azure AD.

I created an Azure AD Application and created App roles:

And in the Frontend application (FEApp) added API permissions:

For sample, I added role to the user:

Generated access token using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://BEAppID/.default
grant_type:authorization_code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
code:code

When decoded the access token role is displayed:

Otherwise, create a /bff/roles endpoint and request the API to get roles.

Reference:

Add app roles and get them from a token - Microsoft Entra