How to add authorization to basic AAD/B2C Web App?

Question

[I see that using Microsoft Graph is not supported for][1] applications like 4-2-B2C. So what options do I have for enhancing such a B2C application with authorization? Some simple authorization roles like admin, delux_paid, basic_paid and guest would be a nice starter.
This 4-2-B2C example is demonstrating an authenticated ASP.NET client calling a microservice web app. I could implement my own database table with a primary key of the users object id and a varchar role_name column myself and then construct the appropriate claim before calling the downstream microservice I suppose.
I hope there is a better option.
Wed Feb 17 2021 Mid Afternoon Update:
Ah hah! Looks like I need to create a REST service and add the URL to TrustFrameworkExtensions.xml as described here: custom-policy-rest-api-claims-exchange.
Can I continue to use the B2C_1_SUSI user flow I created previously for the 4-2-B2C example as described in tutorial-create-user-flows or do I have to create a new special user flow?
Fri Feb 17 2021 Morning Update:
Darn! I I'm having trouble posting comments... I only wanted to delete one comment and it deleted both... So I am updating here.
Anyway:
I tried Alfredo's sample last night and it works!
Now to learn how you did that!

1. How did you put that extra field for Roles on the signup page? I probably don't want that for production but I might want it for debugging... I added a new attribute called Roles of type string. I also went to B2C_1_SUSI and exposed "Role" in the claim. Did I miss anything?
2. So considering production: how can I use the portal.azure.com Web UI to assign admin to one of my logins?
3. What else did you do to your tenant? Did you go to Expose an API and add scopes "User" and "Admin"?
4. Now I want to pass this new scope on to the REST API... Do I need to update Startup.cs Line 51?
5. What else do I need to enhance?

... Saving my work... More questions coming... Got to run errands...
Progress!
Mon Feb 22 2021 Morning Update:
Please see my comment I made last night... I'm not sure how to create a local user...
I've been thinking about using MS Graph (or powershell) instead of Creating Custom Policies with a custom REST service to implement role based authorization. The advantage of custom policies is that we have a database we can manipulate.
However, AAD has implemented a little database table of users for me and the problem with MS Graph is that manipulating the table of with a script might be difficult if I had a had a hundreds of users...
I'd like to discuss using powershell scripts (instead of MS Graph) to populate the custom user attribute called Role that I created so I can write scripts. I'm hoping this will be easier than using Custom Policies... Can you provide guidance on such a powershell script? Of course, there would be merit to me learning & using MS Graph first so I can see it work on my instance of the web site.
Wed Feb 24 2021 Update:
Regarding my goal to use Graph to populate my newly created user attribute (called "Role") in my AADB2C tenant:
I keep asking how to indicate which B2C tenant I want to use and I believe a previous response was that MS Graph looks at the account I log into Graph with.
Let me clarify my accounts: I just confirmed that I have two hotmail accounts with the identical names... The only difference is their passwords... The hotmail account with the new password only works in one place and that is my instance of 4-2-B2C when running locally on my dev machine or publicly on AKS. I just confirmed this this morning. I also have a gmail account I can log into 4-2-B2C with too.
The old hotmail account with the old password works for hotmail.com and logging into portal.azure.com and logging into MSGraph... So MSGraph is obviously not successfully reading my mind and looking up accounts and passwords in my desired AADB2C tenant. And to confirm this MSGraph (not surprisingly) won't accept my gmail account/password either.
So please help me understand how to tell graph which tenant to use.
Thanks
Siegfried
[1]: https://learn.microsoft.com/en-us/answers/questions/266125/documentation-problems-with-sample-aad-role-based.html

Answer 1

Here's how you can add the role attribute:

And here you configure it to be collected during signup and to be returned in the token:

And this is how you can update the role attribute. For all I recall the portal won't allow you so you need MS Graph or Powershell.

Have fun!!!

Answer 2

Try this simpler approach:

Visit https://aspnet-webapp-custom-b2c-roles.azurewebsites.net/.

Click on signin to access the B2C user flow. During signup set a role. Admin and User are valid ones (try first with User) but you can set any other to test the application. Once logged in try one of the links at the bottom of the home application.

The code is here: https://github.com/alfredorevilla/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles-B2C

@Kalyan Krishna

Answer 3

Howdy, using B2C app registrations you cannot retrieve MS Graph scopes besides open_id and offline_access, In cases where you need access to more MS Graph endpoints you need to use a regular Azure AD app registration preferabily using a client credential flow to acquire the token. To issue a custom role or roles claim you can use custom attributes (for both user flow and custom policies) or custom claims (custom policies only). Once your B2C token includes a roles claim you can re-use the same code found in other samples. Basically:

   services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>  
               {  
                   // The claim in the Jwt token where App roles are available.  
                   options.TokenValidationParameters.RoleClaimType = "roles"; //or role (claim types) or extension_roles or extension_role (directory extensions)  
               });  

               // Adding authorization policies that enforce authorization using Azure AD roles.  
               services.AddAuthorization(options =>  
               {  
                   options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole("UserReaders"));  
                   options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole("DirectoryViewers"));  
               });  


   [Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]  

   Or  

          [Authorize(Policy = AuthorizationPolicies.AssignmentToUserReaderRoleRequired)]  

@soumi-MSFT

* If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.*

Answer 4

Since B2C doesn't support out-of-the-box roles, you can use custom policies as mentioned to accomplish this.

There are some good samples in the starter packs on Github, and there are also some blog posts such as this one that show how to accomplish this by adding a custom claim in the B2C portal named "Role."

Then you can add a custom authorization policy in your project:

services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy =>
policy.RequireClaim("extension_Role", "Admin"));
});

Then use the policy in your Controller:

[Authorize(Policy = "Admin")]  

You need to call app.UseAuthorization(); and add the custom attribute "Role" to your user object.

There is a feedback item out to get more options for custom roles: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31997947-support-application-specific-roles-in-b2c

I would also recommend taking a look at some of the solutions provided in these threads:

https://stackoverflow.com/questions/53603535/authentication-vs-authorization/53606885#53606885

CC: @Jas Suri

Answer 5

Take a look to this sample to know more about claims authorization setup.