I have created a boiler plate .NET 6 MVC web application and chosen the Azure AD Authentication type and connected it to my tenant and Azure application. The Azure application has roles set up.
In other applications when I check for 'User.IsInRole(roleName)' it corrected identifies whether or not the current user has been assigned to that role.
In this new application none of the roles correctly appear as true.
In the Program.cs I have:
var builder = WebApplication.CreateBuilder(args);
var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ') ??
builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
builder.Services.Configure<OpenIdConnectOptions>
(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// The claim in the Jwt token where App roles are available.
options.TokenValidationParameters.RoleClaimType = "roles";
});
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = options.DefaultPolicy;
});
and in my appsettings:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "the.domain",
"TenantId": "tenantId",
"ClientId": "clientId",
"CallbackPath": "/signin-oidc",
"ClientSecret": "somesecret",
"ClientCertificates": []
},
What am I missing?
For whatever reason in the .NET 6 MVC app the RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" instead of "roles".
So in the Program make sure it looks like this: