Sonic198
commented
5 years ago I have same problem. Where you able to solve that?
Closed RaySheikh closed 4 years ago
Sonic198
commented
5 years ago I have same problem. Where you able to solve that?
TiagoBrenck
commented
5 years ago @Sonic198 are you using IClaimsTranformation as well? Or you problem is just about adding custom claims?
Sonic198
commented
5 years ago Mainly my problem is to use Azure AD to authenticate users and retrieve their photo from profile, but I need to use roles from my MongoDB to authorize them. I was hopping that maybe there is the way to inject my user roles into token from Azure AD. If not what is preferred way to achieve that? I also want to use MongoDB roles to restrict user access in Angular frontend app. So far I was generating JWT token once user authenticates with user name and password (domain authentication) and I was adding roles from MongoDB into token so I was able to decode token in angular app and use roles. My current JWT token:
{
"someID": "000000000000000000000000",
"antotherCustomID": "33938",
"unique_name": "Test",
"email": "test@test.com",
"fullName": "Test User",
"phone": "",
"thumbnailPhoto": "base64",
"jti": "d14c9e56-a572-4b87-ab44-4de31dc12b48",
"iat": 1573645461,
"role": [
"user",
"admin"
],
"nbf": 1573645461,
"exp": 1573818261
}One solution that we always recommend (when possible and feasible) is to use Azure AD custom claims mapping. In your case, you would use one of the User's extensionAttribute field.
Long story short, you can have extra claims in your tokens from info that comes from Microsoft Graph. You create the custom claim mapping via powershell as mentioned in the link above. Since your custom roles is not in Graph yet, you will have to update the users using Graph REST API and save the roles in the extensionAttribute (thats what they are used for). So far, we don't have a pre build tool to update the users in Graph, so you will have to develop that and integrate with the company's HR process.
If this solution is not a feasible option , then IClaimsTranformation would be the second option, however if it's not behaving properly, I would recommend opening a bug on .NetCore GitHub repository.
Sonic198
commented
5 years ago Unfortunately I can't modify users in Graph DB. I have to use separate DB managed by myself. Is there any good sample how to use IClaimsTranformation? Can I modify token and use my custom claims in fromntend app using that?
TiagoBrenck
commented
5 years ago You can't modify the token that comes from AAD. Sees it as a sealed artifact. What you can do, however, is modify the ClaimsPrincipal on .NET, but this step doesn't touch the token itself.
@jmprieur would you know any sample or guide for that?
Sonic198
commented
5 years ago Or maybe I can authenticate user in Azure AD but instead of returning token to frontend I will read user data and create my own jwt token with my custom clamis? Would that work?
TiagoBrenck
commented
4 years ago Closing as we are archiving this sample.
The newer one can be found at: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API
Hello, First of all thank you for creating this sample. I am trying to inject custom user/roles claims to the Todolistservice from my db. I"m currently using IClaimsTranformation in the DI. but it never gets called after i receive the claims. Can one show me where would be the best place to inject custom claims from my db?
Thanks!