Share via

Azure Active directory SSO not generating roles in authtoken

Chaya 0 Reputation points
Aug 2, 2023, 11:01 AM

I have decoded the JWT token that I obtain after logging in, however the token is missing the roles that I believe are required for backend authentication, so below is the reference that I read.

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-apps

https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api

Additionally, if you could send me a reference for securing the API with node JS and angular login, that would be a huge help.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
882 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,345 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
1,081 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,334 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,311 Reputation points Microsoft Employee
    Aug 3, 2023, 7:35 AM

    Hi @Chaya ,

    Thanks for reaching out.

    I understand you are trying to secure your API with Node.js and Angular login but not able to get the roles in the token to authorize your API.

    When you create a web API, you can define custom scopes to restrict access to data and functionality protected by the API. These scopes are used to protect your API endpoints and to ensure that only authorized clients can access them**.**

    You can achieve this either using scopes or app roles.

    Scope can be created for delegated permissions to access the parts of this API which can request that a user or admin consent to one or more of these scopes.

    If you are looking to create application-only scopes, you should use 'App roles' and define app roles assignable to application type**.**

    In this scenario where you are trying to call node.js API from single page application (SPA), you would require adding the scope and Expose and API.

    You need to expose the API to the client app in Microsoft Entra ID.

    1.Expose the API to client apps by adding a scope (in case of delegated permissions).

    User's image

    2.Assign owner to the API which will allow users to own the application and expose themselves to other apps.

    User's image

    Assign permission to your single page application to your API and grant admin consent to the permissions.

    User's image

    You will get the access token with Test.Role scope which can be used as bearer token to authorize the API.

    User's image

    If the goal is to obtain a token for server-to-server authorization, you would need to include roles in the App roles for that scenario.

    MSAL sample references - https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code?tabs=apptype

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.