Authorization in Azure AD B2C

Question

Authorization in Azure AD B2C

Jamal Ashraf 31

Dear All, I can understand that authorization is not a core feature of Azure AD B2C. Would anyone please give a proper workaround for this problem so actually what i want is that i want to add a role in my token so for example may be there would be role:admin or instead of admin we can write any value and assign it to a role and when we access this application from front end we have a token with this claim in the token and we can do authorizaiton on my API in the backend.

All other users have no claim in there token so that they have no access on the specific end points where i ll do authorization with that special claim in the token so in that way i can do authorizaiton in AZURE AD B2C and can achieve my goal. Please help me in this regard and write a well explained solution in this regard.

Summary: i just want to add role in the token could be anything just to make it differ from normal users in the AZURE AD B2C tenant so that i can achieve authorization with this special token which would only for company colleagues and they can have access to all endpoints.

James Hamil 27,211 Reputation points Microsoft Employee Moderator

2022-10-14T21:37:50.027+00:00

Hi @Jamal Ashraf , very sorry for the delay in response! I'm a bit confused about your question however, so please help me understand. What do you mean when you say authorization is not a core feature? We have an extensive role system utilizing OAuth2.0 primarily.

Why do you want the role to be assigned within the token, as opposed to assigning the role in AAD?

If your end goal is to just give special permissions to people within your company I can show you how to do this. Please let me know and I can help you further.

Thank you,
James
Jamal Ashraf 31 Reputation points

2022-10-16T14:59:28.583+00:00

Thank you for your reply and yes my end goal is to just give special rights to some persons in the company which normal customers must not have when they would using my application. So that means some API endpoints would only be accessilble by the persons from the company. Please help me in this regard as i have been struggling with this problem for so long.

1 answer

Your answer

James Hamil 27,211 Reputation points Microsoft Employee Moderator

2022-10-14T21:37:50.027+00:00

Hi @Jamal Ashraf , very sorry for the delay in response! I'm a bit confused about your question however, so please help me understand. What do you mean when you say authorization is not a core feature? We have an extensive role system utilizing OAuth2.0 primarily.

Why do you want the role to be assigned within the token, as opposed to assigning the role in AAD?

If your end goal is to just give special permissions to people within your company I can show you how to do this. Please let me know and I can help you further.

Thank you,
James
Jamal Ashraf 31 Reputation points

2022-10-16T14:59:28.583+00:00

Thank you for your reply and yes my end goal is to just give special rights to some persons in the company which normal customers must not have when they would using my application. So that means some API endpoints would only be accessilble by the persons from the company. Please help me in this regard as i have been struggling with this problem for so long.

Answer 1

Hi @Jamal Ashraf , from my understanding it looks like you're looking for an RBAC solution. Unfortunately Azure B2C doesn't quite support this but there are some good alternatives for your situation. Please take a look through this thread.

"You cannot use Role-based Authorization with Azure AD B2C as it utilizes IEF (Identity Experience Framework) to specify which attributes should be collected from the user(s) during sign-up and which application claims should be returned in the token after successful authentication.

Any roles that you specify using the App Registration blade are applicable and returned in token only when the authentication is done against standard Azure AD and not Azure AD B2C.

You should consider using specific attributes that are collected from the user(s) during Sign-up or inserted by RESTful API Connector or set by using Graph API patch calls. Then use the Attribute value to distinguish between the users who should get access to the API and who should not. Once done, you can use Claims-based Authorization.

Here is the only sample available that closely matches your requirement: How to secure a Web API built with ASP.NET Core using the Azure AD B2C. Rather than using scope-based authorization, you need to configure it for Claims-based Authorization as mentioned Here."

I hope this helps answer your question. If not please let me know and I can help you further.

Thank you,
James

Jamal Ashraf 31 Reputation points

2022-11-02T07:39:38.797+00:00

@James Hamil I understand your answer but how can i implement this solution as there is no proper documentation on it. Please provide some more samples for it.

Share via

Authorization in Azure AD B2C

1 answer

Your answer