I wrote recently about how to get Azure Easy Auth to work with roles. This involved borrowing the approach used by MaximeRouiller.Azure.AppService.EasyAuth.
As a consequence of writing that post I came to learn that official support for Azure Easy Auth had landed in October 2020 in v1.2 of Microsoft.Identity.Web. This was great news; I was delighted.
However, it turns out that the same authorization issue that
MaximeRouiller.Azure.AppService.EasyAuth suffers from, is visited upon
Microsoft.Identity.Web as well.
We're using a .NET 5 project, running in an Azure App Service (Linux). In our
.csproj we have:
Startup.cs we're using:
roles with it#
Whilst the authentication works, authorization does not. So whilst my app knows who I am - the authorization is not working with relation to roles.
When directly using
Microsoft.Identity.Web when running locally, we see these claims:
However, we get different behaviour with EasyAuth; it provides roles related claims with a different type:
This means that roles related authorization does not work with Easy Auth:
This is because .NET is looking for claims with a
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" and not finding them with Easy Auth.
There is a way to work around this issue .NET using
IClaimsTransformation. This is a poorly documented feature, but fortunately Gunnar Peipman's blog does a grand job of explaining it.
Startup.cs I've registered a claims transformer:
And that claims transformer looks like this:
The class above creates a new principal with
"roles" claims mapped across to
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role". This is enough to get .NET treating roles the way you'd hope.
I've raised an issue against the
Microsoft.Identity.Web repo about this. Perhaps one day this workaround will no longer be necessary.