{
"$type": "site.standard.document",
"canonicalUrl": "https://johnnyreilly.com/posts/azure-easy-auth-and-roles-with-net-and-microsoft-identity-web",
"description": "The `Microsoft.Identity.Web` library has authorization issues with roles. A `IClaimsTransformation` can map claims to fix the problem.",
"path": "/posts/azure-easy-auth-and-roles-with-net-and-microsoft-identity-web",
"publishedAt": "2021-01-17T00:00:00.000Z",
"site": "at://did:plc:yy3apqjlms24kso7ahn7lbmb/site.standard.publication/3mova7c4nho2b",
"tags": [
"azure",
"asp.net",
"easy auth",
"auth"
],
"textContent": "I wrote recently about how to get Azure App Service Easy Auth to work with roles. This involved borrowing the approach used by MaximeRouiller.Azure.AppService.EasyAuth.\n\nAs a consequence of writing that post I came to learn that official support for Azure Easy Auth had landed in October 2020 in v1.2 of Microsoft.Identity.Web. This was great news; I was delighted.\n\nHowever, it turns out that the same authorization issue that MaximeRouiller.Azure.AppService.EasyAuth suffers from, is visited upon Microsoft.Identity.Web as well. This post shows hoew to resolve it with IClaimsTransformation.\n\n\n\nIf you're looking for information about Easy Auth and authentication with .NET and Azure Container Apps, you can find it here.\n\nGetting set up\n\nWe're using a .NET 5 project, running in an Azure App Service (Linux). In our .csproj we have:\n\nIn our Startup.cs we're using:\n\nYou gotta roles with it\n\nWhilst the authentication works, authorization does not. So whilst my app knows who I am - the authorization is not working with relation to roles.\n\nWhen directly using Microsoft.Identity.Web when running locally, we see these claims:\n\nHowever, we get different behaviour with EasyAuth; it provides roles related claims with a different type:\n\nThis means that roles related authorization _does not work_ with Easy Auth:\n\nThis is because .NET is looking for claims with a type of \"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\" and not finding them with Easy Auth.\n\nClaims transformation with IClaimsTransformation\n\nThere is a way to work around this issue .NET using IClaimsTransformation. This is a poorly documented feature, but fortunately Gunnar Peipman's blog does a grand job of explaining it.\n\nInside our Startup.cs I've registered a claims transformer:\n\nAnd that claims transformer looks like this:\n\nThe class above creates a new principal with \"roles\" claims mapped across to \"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\". This is enough to get .NET treating roles the way you'd hope.\n\nI've raised an issue against the Microsoft.Identity.Web repo about this. Perhaps one day this workaround will no longer be necessary.",
"title": "Azure App Service, Easy Auth and Roles with .NET and Microsoft.Identity.Web"
}