azureazure-authentication

Roles assigned to managed identity in Azure not present in token


I am using role assignments on applications extensively. When I generate a token for my API as a user, I get the roles that I have been assigned.

For instance, here I am in a group and that group has been assigned the role Developer: principal role assignment

When I generate a token for the API that this principal protects, I get the following in the resulting JWT:

"roles": [
  "Developer"
]

The token is generated using OAuth 2.0, where a SPA is the client that is in the azp claim of the resulting token.

Now I want to do the same thing, but from APIM and for a principal. APIM has a user-assigned managed identity that I have assigned an Application-only role over the same principal as in the first image. The assignment is in place on the principal backing the managed identity: managed identity app role assignment

To verify, I've added an operation to APIM with the following policy:

<inbound>
    <authentication-managed-identity resource="api://{{the-api-I-want-toca--}}" client-id="{{apim-clientId}}" output-token-variable-name="access-token" ignore-error="false" />
    <return-response>
        <set-status code="200" reason="OK" />
        <set-body>@("Bearer " + (string)context.Variables["access-token"])</set-body>
    </return-response>
</inbound>

I can call this operation and I get a token back, but there is no role claim or any other metadata on the token at all.

What I want to achieve is the ability to determine what kind of permissions a principal has based on the role claim, the same way I can do with user accounts.

Am I misinterpreting something here? How come it doesn't behave the same way for principals as it does for users? How can I achieve the same behaviour in my new use case with principals?


Solution

  • Have you tried again 24 hours later? One possibility is that you acquired a token for this API using the Managed Identity before the role was assigned. Managed Identity endpoint caches tokens for 24 hours (see docs), so any changes to permissions that rely on values in the token won't be reflected until this cache expires.

    Note this won't apply to Azure RBAC roles and such as the token itself does not change in that case.