Roles!

[johnnyreilly]

Hello!

Thanks for this marvellous shim @MaximRouiller! Happening upon it quite saved my day :smile:

As it turned out, whilst this supports authentication, it doesn't support the roles aspect of authorization. I was able to lift and tweak the code to do that, and I've explained it here:

https://blog.johnnyreilly.com/2021/01/azure-easy-auth-and-roles-with-dotnet-and-core.html

However, I was wondering if this could / should become part of your shim? What do you think?

[MaximRouiller]

I haven't taken the time to review all of this but I feel that we could include it if the changes are minor.

We have to be careful as this component is also used for Social Login (Google, Facebook, Twitter).

Let me review this and see if we can include it without breaking anyone.

[johnnyreilly]

Thanks! An alternative approach could be exposing some kind of claims transformation hook that would allow people to take the supplied claims and transform them prior to populating the principal.

I'm thinking of something along these lines: https://stackoverflow.com/a/39097898/761388

[johnnyreilly]

I've provided a PR for the claims transformation hook approach that I suggested; you can find it here

[johnnyreilly]

A peculiar PS I thought I'd share. Off the back of your tweet I reached out to @mattchenderson and he was good enough to respond: https://twitter.com/mattchenderson/status/1350137204719321091

Strangely, it looks like as of v1.2 of Microsoft.Identity.Web, this shim shouldn't be necessary: https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb

From version 1.2.0, the same code for your web app written with Microsoft.Identity.Web will work seamlessly with our without EasyAuth. Your web app can sign-in users and possibly call web APIs or Microsoft Graph. Indeed, Microsoft.Identity.Web now detects that the app is hosted in App Services, and uses that authentication.

It looks like @jmprieur's PR: https://github.com/AzureAD/microsoft-identity-web/pull/700 was designed to add this functionality.

However using v1.4.1 of Microsoft.Identity.Web with services.AddMicrosoftIdentityWebAppAuthentication(Configuration); and it doesn't seem to want to play ball. If it is supposed to be able to work, I haven't managed to work out how. And the official docs still say it's not supported.

Mysterious. I've logged an issue on their repo.

[dasiths]

Thanks! An alternative approach could be exposing some kind of claims transformation hook that would allow people to take the supplied claims and transform them prior to populating the principal.

I'm thinking of something along these lines: https://stackoverflow.com/a/39097898/761388

Have a look at this library as it allows exactly what you're after. https://github.com/dasiths/NEasyAuthMiddleware