I have APIs that require Azure AD bearer authentication.
public void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
// ...
});
}
Is it then possible to query Azure AD - perhaps using the Graph API - to determine the group information of the calling user? The end goal here is to apply role-based security to the API methods/controllers, as below (or similar).
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
Additionally, how and where is the identity information applied to the executing thread?
As of recently, you can use Role Claims and/or Group Claims to do so. If you have a web API protected with bearer authentication (like in the sample here), you can configure the API so that access tokens contain Group and/or Role claims.
The OWIN middleware will read the claims in the JWT bearer token and populate the ClaimsIdentity
with appropriate claims, in the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler
(source).
To configure your API to receive Group Claims, you need to edit the "groupMembershipClaims"
property of the application manifest with a value of "All"
or "SecurityGroups"
(distribution lists included or excluded, respectively) as shown in this sample, which uses Group Claims to apply role-based security to a web app using the [Authorize]
tag.
To configure your API to receive Role Claims, you also need to edit the manifest, defining Application Roles in the "appRoles"
property as shown in this sample (link not yet active - it will be in the next few days), which uses Role Claims to do the same. Once you have defined Application Roles, you can assign users and groups to those roles in the Azure Portal or via the GraphAPI. Note because the claims emitted by AAD are of type "roles"
, you will need to set the RoleClaimType as:
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
...
TokenValidationParameters = new TokenValidationParameters {
RoleClaimType = "roles",
},
...
}