Tutorial: Use role-based access control in your .NET MAUI
This tutorial demonstrates how to add app roles to.NET Multi-platform App UI (.NET MAUI) and receive them in the ID token.
In this tutorial, you learn how to:
- Access the roles in the ID token.
Prerequisites
- Tutorial: Sign in users in .NET MAUI shell app
- Using role-based access control (RBAC) for applications
Receive groups and roles claims in .NET MAUI
Once you configure your customer's tenant, you can retrieve your roles and groups claims in your client app. The roles and groups claims are both present in the ID token and the access token. Access tokens are only validated in the web APIs for which they were acquired by a client. The client shouldn't validate access tokens.
The .NET MAUI needs to check for the app roles claims in the ID token to implement authorization in the client side.
In this tutorial series, you created a .NET MAUI app where you developed the ClaimsView.xaml.cs to handle ClaimsView
data. In this file, we inspect the contents of ID tokens. The value of the roles claim is checked in the following code snippet:
To access the role claim, you can modify the code snippet as follows:
var idToken = PublicClientSingleton.Instance.MSALClientHelper.AuthResult.IdToken;
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadJwtToken(idToken);
// Get the role claim value
var roleClaim = token.Claims.FirstOrDefault(c => c.Type == "roles")?.Value;
if (!string.IsNullOrEmpty(roleClaim))
{
// If the role claim exists, add it to the IdTokenClaims
IdTokenClaims = new List<string> { roleClaim };
}
else
{
// If the role claim doesn't exist, add a message indicating that no role claim was found
IdTokenClaims = new List<string> { "No role claim found in ID token" };
}
Claims.ItemsSource = IdTokenClaims;
Note
To read the ID token, you must install the System.IdentityModel.Tokens.Jwt
package.
If you assign a user to multiple roles, the roles string contains all roles separated by a comma, such as Orders.Manager, Store.Manager,...
. Make sure you build your application to handle the following conditions:
- Absence of roles claims in the token
- User hasn't been assigned to any role
- Multiple values in the roles claim when you assign a user to multiple roles
When you define app roles for your app, it is your responsibility to implement authorization logic for those roles.
Next steps
For more information about group claims and making informed decisions regarding the usage of app roles or groups, see: