This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 15%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello, In my B2C app, I have a user that has been assigned multiple administrative roles. I've created a policy for the administrator role but am unable to retrieve any roles for this user. I'm using dotnet 7.0. I have two problems:. Assigning the Admin to jobTitle works to enforce the policy (see below). That isn't something I want to do long term. Using the URI provided in the documentation does not work. So, I went about trying to see if I could retrieve the assigned roles for a user but failed to do so. Am I missing a setting somewhere that would allow me to see the roles and then use that to enforce administration?
See code snippets below for both.
Thanks!
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy =>
{
// Cannot get below to work.
//policy.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Admin");
// This works.
policy.RequireClaim("jobTitle", "Admin");
});
});
public static async Task<List<string>> GetRolesforCurrentUser(this AuthenticationStateProvider provider)
{
var authState = await provider.GetAuthenticationStateAsync();
var userIdentity = (ClaimsIdentity)authState.User.Identity;
var claims = userIdentity.Claims;
return claims.Where(c => c.Type == ClaimTypes.Role)
.Select(c => c.Value)
.ToList();
}
// The code below always returns zero.
roles = await authProvider.GetRolesforCurrentUser();
Console.WriteLine("Number of roles found: " + roles.Count);
Thank you. I will read this and try it. I currently have just this:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
you need to add a mapping from claims to roles:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims?view=aspnetcore-7.0
When I look at the claims that are being returned, I see that username, email, etc. are being returned, along with jobTitle which explains why using jobTitle works. (sorry, I am a newbie):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier d7d41326-5459-4b0d-bf3b-15207b876de4
auth_time 1686245007
name akj
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Archna
jobTitle Admin
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Johnson
emails archna.johnson@gmail.com
http://schemas.microsoft.com/identity/claims/objectidentifier d7d41326-5459-4b0d-bf3b-15207b876de4
tfp B2C_1_reset
Is there no way to ask Azure AD to return a list of roles as claims when the user is authenticated? If not, would you know why?
Azure Ad Tokens only have claims. Azure Ad allows defining roles and mapping to claims.
The Microsoft identify has optional role support, but the AD provider has no default implementation of mapping claims to roles.
@Bruce (SqlWork.com), I have the following now and it does not work. I created a new client secret and am using its value (not the ID). I am sure everything else is correct. I would really appreciate some help. Thanks!
//builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
// .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://login.microsoftonline.com/{my_tenant_id}/v2.0";
options.RequireHttpsMetadata = true;
options.ClientId = "my_client_id";
options.ClientSecret = "Value_of_my_secret";
options.ResponseType = "code";
options.UsePkce = true;
options.Scope.Add("profile");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "role",
ValidateIssuer = false
//RoleClaimType = ClaimTypes.Role
};
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy =>
{
// Cannot get below to work. Should not have the admin policy based on job title.
policy.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Admin");
//policy.RequireClaim("jobTitle", "Admin");
});
});
I have the following now and it can't get it to work. I created a new client secret and am using its value (not the ID). I am sure everything else is correct. I would really appreciate some help. Thanks!
//builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
// .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://login.microsoftonline.com/{my_tenant_id}/v2.0";
options.RequireHttpsMetadata = true;
options.ClientId = "my_client_id";
options.ClientSecret = "Value_of_my_secret";
options.ResponseType = "code";
options.UsePkce = true;
options.Scope.Add("profile");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "role",
ValidateIssuer = false
//RoleClaimType = ClaimTypes.Role
};
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy =>
{
// Cannot get below to work. Should not have the admin policy based on job title.
policy.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Admin");
//policy.RequireClaim("jobTitle", "Admin");
});
});
It seems that AD B2C does not support RBAC. I don't want to move away from B2C and don't want to write complicated code to get roles into the app. Here is a fairly recent thread that points to multiple discussions:
your code is not clear.
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "role"
...
}
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy =>
{
policy.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Admin");
you defines "role" as type of a role claim, but your token does not have any role claim. the policy is looking in the token for a role claim with value = "admin". I would of thought the:
policy.RequireClaim("jobTitle", "Admin")
was more correct. then when controller/action required admin:
[Authorize(Policy = "RequireAdminRole")]
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @AKJ ,
Thanks for reaching out.
Azure AD B2C does not support out-of-box support for role claims for consumer accounts as it would not be feasible for the Administrator to assign the role to consumer identities.
There are ways to implement RBAC using Azure AD B2C.
For this purpose, you can use custom claims in Azure AD B2C to allow consumers to select the required role during the signup process which is returned in the token as well.
You could also leverage Azure AD Custom Policies, which allow you to call a REST API during authentication. This can be used to pass the ObjectId of the user to your API and return the roles to Azure AD B2C. B2C can then issue the roles as a claim into the token.
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector-token-enrichment?pivots=b2c-custom-policy for more details.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
@Shweta Mathur
I am a newbie and am looking for the simplest way to get assigned roles for a user into the app. Thanks!