Duende.BFF (AAD) get roles in the API roles in the frontend
I'm using Duende.BFF with AAD. I have two app registrations, one for the BFF and one for the API it does access. The API defines scopes and user roles.
This works fine, but now I need to deliver the roles of the user to the FE to render components based on it.
What is the best practice to do so?
All of the following doesn't seem tempting:
Define the roles in the bff app reg as well. This works, roles are returned in the bff/user endpoint. But has the huge downside of duplicating the roles.
Create a /bff/roles endpoint and request the API to get roles
Create a /bff/roles endpoint and try to parse the access token (if there is any for the API) and return it.
So again: What is the best practice to do so?
Thank you!
To deliver the roles of the user to the FE to render components based on it make use of access token generated by Azure AD.
I created an Azure AD Application and created App roles:
And in the Frontend application (FEApp) added API permissions:
For sample, I added role to the user:
Generated access token using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:api://BEAppID/.default
grant_type:authorization_code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
code:code
When decoded the access token role is displayed:
Otherwise, create a /bff/roles endpoint and request the API to get roles.
Reference:
- How do you allow two DLL's with same namespace.class to exist in the same application?
- Duplicate characters when typing in VS 2022 .cs page
- .NET Aspire on existing docker project
- Azure Table Storage - No connection could be made because the target machine actively refused it 127.0.0.1:10002
- Trouble Adding Security Scheme for Identity in NSwag OpenAPIDocument with ASP.NET Core 8
- How is RegisterStartupScript called when Page.ClientScript.IsStartupScriptRegistered?
- Populate checklist in another webform
- .NET 4.5 changing how Response.IsRequestBeingRedirected behaves on Ajax calls - why?
- Javascript not working in Partial View
- File upload .NET Core 'IFormFile' does not contain a definition for 'SaveAsASync' and no extension method
- Gridview.SelectedRow returns null
- The constraint reference 'string' could not be resolved to a type. (netcoreapp3.0)
- JavaScript Timer Event to read a session variable in ASP.NET
- How to utilize WebDev.WebServer.exe (VS Web Server) in x64?
- Function set td text in <%if statement%> always be called
- How do I find out what is causing Edge Developer Tools to be BLANK on the company ASP.NET WebForms website?
- Token handler unable to convert the token to jwt token
- ASP.net making an AJAX call with Jquery
- Why is await async freezing the UI on my aspx page?
- ASP.NET Web Api: The requested resource does not support http method 'GET'
- OnItemCommand not firing from nested DataList
- C# UnitTests Mock File ReadAllBytes throws System.IO.FileNotFoundException
- How can I programmatically recycle a .net web app's own apppool?
- How do I get the the value of an ASP.NET hiddenfield in a typescript file
- Connect textbox in gridview and dropdownlist with a single datatable so that values can change in both at once without requiring a postback in ASP.NET
- HTTP Error 503. The service is unavailable. App pool stops on accessing website
- Paging through an IEnumerable
- Could not find a part of the path ... bin\roslyn\csc.exe
- .net max class size
- How do I mitigate the HTTP Parameter Pollution vulnerability for the Captcha.aspx in the ASP.NET Web Forms application