search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 340 forks source link

[Bug] (maybe) missing roles #4489

Closed AnthonyGiretti closed 1 month ago

AnthonyGiretti commented 9 months ago

Library version used

8.0.0

.NET version

.NET 8

Scenario

WebSite

Is this a new or an existing app?

None

Issue description and reproduction steps

Roles are missing in the JWT. I upraded form the version 3.2.1 and that version brought automatically roles in the JWT. I tried to add myself roles with the code snippet below without success. How to get roles in the version 8.0.0 ?

Relevant code snippets

options.ProviderOptions.DefaultAccessTokenScopes.Add("roles"); // Not working
options.ProviderOptions.AdditionalScopesToConsent.Add("roles"); // Not working

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

jmprieur commented 9 months ago

@AnthonyGiretti : the roles claim is directed by the service (Microsoft Entra), not by the app. See https://learn.microsoft.com/entra/identity-platform/enterprise-app-role-management

AnthonyGiretti commented 9 months ago

Thanks.

Can you clarify ? I already setup roles in Entra Id. With the Msal version 3.2.1 they show up in the JWT, they don’t anymore in the version 8.0.0. In OAuth , you are supposed to request the roles by adding scopes such as « openid roles » in the GET call for OIDC authentication, in the SDK here my options, but none are working:

image

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Mon, Jan 8, 2024 at 19:54 Jean-Marc Prieur @.***> wrote:

@AnthonyGiretti https://github.com/AnthonyGiretti : the roles claim is directed by the service (Microsoft Entra), not by the app. See https://learn.microsoft.com/entra/identity-platform/enterprise-app-role-management

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4489#issuecomment-1882097375, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JYPSNMGA2AZO2MCMNTYNSINXAVCNFSM6AAAAABBSBF2DCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBSGA4TOMZXGU . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4489/1882097375 @github.com>

AnthonyGiretti commented 9 months ago

For now, I have to keep version 3.2.1 which is deprecated to keep roles in the JWT.

bgavrilMS commented 1 month ago

Not an SDK issue.