HOWTO: Azure Identity Custom Claims or Blazor User Security

Question

I have a Blazor wasm project where my users are authenticated through Azure Identity. I need to further restrict functionality and data access based on user/group permissions. Is it possible to put these restrictions in the token from Azure as claims, or is there a more preferred way to do this in the Blazor client and Blazor API?

At the api level, I want to do something like
[Authorize(Policy="CustomerCreationPolicy"), HttpPost]
public async Task<Customer> CreateCustomer(Customer newCustomer)...

At the client I want to manage these permissions.
{"userPermissions": ["username": "******@mydomain.com", "Permissions":{"vipAccessLevel":"Sensitive", "CanCreateAccounts:"true", "CanUpdateAccounts":"true"}]}
{"groupPermissions": ["groupName": "Sales Team", "Permissions":{"vipAccessLevel":"Sensitive", "CanCreateAccounts:"true", "CanUpdateAccounts":"true"}]}

At the client I want to also do something like:
@Anonymous "/customers"
@if(_canCreateCustomer)
{
show create customer button
}
@Aidan Wick {
private Dictionary<string, string> _policies = _myPolicyService.LoadPolicies(Page.Customers);
private bool _canCreateCustomer = _policies["CanCreateCustomer'];
}

Can I have Azure tunnel back to my API to read these permissions and add them as Claims?
Do I need to intercept the "After-Authenticate" event and add these somehow? Is this possible?

Answer 1

I believe I have found my answer. See: https://chrissainty.com/securing-your-blazor-apps-configuring-policy-based-authorization-with-blazor/

I'll tinker with this. I believe I can place my security rules in my database and use IAuthorizationRequirement and AuthoriationHandler to get where I need to be.