Open michiproep opened 1 year ago
This could be due to the "Roles" claim being mapped incorrectly by Microsoft.Identity.Web
.
Might be solved with the code in https://github.com/AzureAD/microsoft-identity-web/pull/2027 ? (or using some rather ugly builder.Services.AddTransient<IClaimsTransformation, RenameRolesClaim>();
code that remaps roles claims:
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
public class RenameRolesClaim : IClaimsTransformation
{
/// <summary>
/// Rename AAD claims from "roles" to "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
/// </summary>
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var roles = principal.Claims.Where(claim => claim.Type == "roles").ToList();
if (roles.Any())
principal.AddIdentity(new ClaimsIdentity(roles.Select(role => new Claim(ClaimTypes.Role, role.Value))));
return Task.FromResult(principal);
}
}
I'll try but in this case there are no roles at all. well, maybe the scope stays... let's see
@michiproep did you ever find a reasonable solution to this? I'm having the same issue. The authentication should still be successful even if there are no specific roles. I got this behavior after updating Microsoft.Identity.Web from 1.7.0 -> 3.1.0.
@kopfsick No, I did not find a (good) solution. What you can do is adding a dummy role (or empty) within the tokenValidated event. But I agree, this should not be the final solution
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
1.26.0
Web app
Not Applicable
Web API
Protected web APIs (validating tokens)
Token cache serialization
In-memory caches
Description
If I add groups as optional claims with option "Emit groups as role claims" in AzureAd Token Configuration, the resulting token for a client credential flow / confidentialClientApplication might have no roles[] claim.
When sending this token to a web-api which just "RequiresAuthenticatedUser()" the httpContext.User is not populated by the authentication middleware although I can see a valid ClaimsPrincipal within OnTokenValidated=>context.Principal.
As a result, Authorization fails.
Reproduction steps
Error message
Authorize-Policy => Failure => Do not allow anonymous user
Id Web logs
Relevant code snippets
Regression
No response
Expected behavior
Even if a token is missing role claims, the confidentialClient should still get authenticated.