I have the following scenario. I have two apps registered in azure, one is a web site and another an api. I can login into the web site and I can do calls to the api using a JWT token.
Now I need to secure both apps. Both apps use the same roles and the same users. My first approach was to create approles in both manifests, and then add the users to each rol in each app registration.
Everything is working fine and I can use [Autorize(Roles="Admin")] in the controllers of the web site and in the methods of the Api.
But It's hard to mantain both approles and users in both applications. Each change in one app needs to be replicated in the other one. So my goal is to use only the approles and users of one of the app registrations.
Is that possible? Can I define for example approles and users in the api app registration and use them in the web site? How can I do that?
After the first login in the web site how can I update the user claims?
Now If I define roles and users only in api side when I check User.Identity.Claims roles aren't there, so I can't access to a page decorated with [Authorize(Roles="Admin")]. If a retrieve jwt token using the scope of the api I can see the roles inside the claims. How can I add jwt token claims into User.Identiy.Calims after login and then add them to each request inside the web site?
I can't use azure Groups, only appRoles.
My goal is to use the same roles and users in the web site and in the api but only definig them in one place.
Is that possible? Which is the best approach to do that?