How to get user app role when singning using OAuth 2 (Owin Microsoft external login)

Question

I have an MVC portal, a Application inside AD and an external login via MS (owin). I can login correctly, but I can't read the external user app roles or tenantId. Can I read that information or do I need to user MSAL authentication?

There is the code to add external MS authentication:

app.UseMicrosoftAccountAuthentication(
clientId: WebConfigurationManager.AppSettings["ClientId"],
clientSecret: WebConfigurationManager.AppSettings["ClientSecret"]);

Answer 1

Hello @Maxim Stratan ,

Thank you for posting your query on Microsoft Q&A. To extract roles of guest user you need to have them configured as per : Add app roles to your application and receive them in the token.

• Ensure that application have Implicit and hybrid grants flow enabled:

• The endpoint must be hitting organization endpoint and not common/personal, as they would not emit the roles. Given is the example

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?
client_id={Application ID}
&response_type=code&id_token
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=openid&https://graph.microsoft.com/mail.read
&state=12345
&nonce=abcde

• Extract the code from request you sent above:

• The id_token will contain the user app roles assigned to the guest user and endpoint with tenant id:

• The access_token will contain the User info, tenant id and wids claim (contain user permission templates GUID)

Please do let me know if you have any further queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.