Roled based authorization in Azure AD B2C

Question

Roled based authorization in Azure AD B2C

Jorge Lopez 51

I'm building and application SPA + API which allows my costumers to log in (not sign up, the admin will register new users manually). and I want to grant permissions to different endpoints based on Group permissions (or roles instead). I'm using Azure functions for the serverless API, and React for the SPA.

I manage to set up the authorization part with Azure active Directory B2C successfully, as it seems the right alternative to handle with external costumers. The MSAL for React is very straightforward, and there is also a useful tutorial to implement Role-Based Access Control using Groups in Azure AD. However it seems that this feature is only available in Azure AD (not in the AD B2C), according to this references: link1 link2. (And obviously I don't want to allow users in the registration process to choose their group like suggested in this last link).

So my questions are:

There is any way to implement some kind of RBAC in Azure AD B2C?
If not, use Azure AD instead (which does allow it) is advisable to manage with external costumers?

1 answer

Your answer

Answer 1

Marilee Turscak-MSFT 37,206 Microsoft Employee Moderator

Hi @Jorge Lopez ,

As you correctly pointed out, you cannot use Role-based Authorization with Azure AD B2C as it uses the Identity Experience Framework to specify which attributes should be collected from the users during sign-up and which application claims will be returned in the token after successful authentication. In addition, since users are using social identities where they typically sign up and create the accounts, it would be difficult for the admin to add their accounts to the app assigning the roles to their identities.

Any roles specified using the App Registration get applied and returned in the token only when the authenticated against standard Azure AD and not Azure AD B2C.

The closest sample that matches your requirement would likely be the guide, How to secure a Web API built with ASP.NET Core using the Azure AD B2C. You would need to set it up to use Claims-based Authorization to determine whether the users should get access to the API based on attributes that are inserted for the users by the RESTful API Connector or set by using Graph API calls.

There is a related thread here that discusses this option as well as a few other options to achieve a similar scenario.

-

If the information was useful, please Accept the answer. This will help us and other members of the community who may be researching similar questions.

Jorge Lopez 51 Reputation points

2022-10-26T13:17:44.243+00:00
HI MarileeTurscak,

Thanks for the response, after some days of work I have finally managed to implement a solution using a connection API to enrich the tokens with the AppRoles attribute. Now my doubts fall around how to properly handle with the Claims-based Authorization in the API.

In .NET there are some examples aboutthat using the ClaimsPrinciple object. However, in Python I haven't found any example, I manage to build my own function to read the token claims like this:

def get_role(req): role = '' clientPrincipal = req.headers.get('X-MS-CLIENT-PRINCIPAL') token_dec = base64.b64decode(clientPrincipal) rule = r'(?<=AppRoles","val":").+?(?="},)' role = re.findall(rule, str(token_dec))[0] return role

Is there any inbuild function by Microsoft to handle with the access token in Python?
Jeremy 141 Reputation points

2023-06-20T15:26:02.7033333+00:00

The link to the article is wrong. This seems to be the correct link:

https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-aspnetcore-webapp-openidconnect-v2/how-to-secure-a-web-api-built-with-aspnet-core-using-the-azure-ad-b2c/

Share via

Roled based authorization in Azure AD B2C

1 answer

Your answer