azure.net-coreazure-active-directorysingle-page-applicationblazor-webassembly

EntraID: how to pass application roles downstream


I am working on an SPA (Blazor wasm), that uses AzureAD/EntraID with "authorization code flow".

The app is hosted in an ASP.NET Core 8 Web API service, that exposes some simple APIs for now. I have configured the app to request and attach downstream access token (based on this). The access token is reaching the endpoint. So far so good.

But I also want to use application roles. I have configured them, and I do get them in the ID token (just for reference). But I need those roles on the backend side as well.

How can I include that (or any other claim for that matter from the identity token) into the downstream token?

[Update]

I have figured it out. The issue was that I requested the access token to something else. I had to do the following:

And now the roles are included in the access token because the token is intended for the same application. Indeed, roles unknown to the other API are useless to include.


Solution

  • To get app roles in the access token, check the below:

    Expose an API and add scope in the Microsoft Entra ID application:

    enter image description here

    Created App role:

    enter image description here

    Grant API permissions as below:

    enter image description here

    In the Enterprise application, assign a user to this app role:

    enter image description here

    For sample, generated tokens for the API via Postman by using below parameters:

    POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
    grant_type:authorization_code
    client_id:ClientID
    client_secret:ClientSecret
    scope:api://xxx/.default
    code:code
    redirect_uri:https://jwt.ms
    

    enter image description here

    When I decoded roles claim is displayed in the access token:

    enter image description here

    If still the issue persists, check below: