Some times after successful login the following error shows up

IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.

After creating TaskTrackerWebApp-RoleClaims and doing the following steps, I went into Enterprise applications and select All Applications and I do not see WebApp-RoleClaims-DotNet, I find the name with TaskTracker in the front. Is this what you meant? Or was there a step for creating another application for WebApop-RoleClaims-DotNet that I missed. I looked but don't see it.

Need to change, or users will not be able to consent to the app.

A fundamental approach in programming authorization logic in applications for long term stability and reliability is to focus on permissions and not roles or groups within the code itself.

The reasoning for this is portrayed excellently by this SO post, displayed here readability:

At the moment of checking, the calling code only needs to know "does user X have permission to perform action Y?".
The calling code does not care about and should not be aware of relationships between roles and permissions.

The authorization layer will then check if the user has this permission, typically by checking if the user's role has this permission. This allows you to change authorization logic without updating the calling code.

If you directly check for role at the call site, you are implicitly forming role ⇄ permission relationships and injecting authorization logic into the calling code, violating separation of concerns.

Should you later decide that role foo should not have permission baz, you would have to change every code which checks if the user is a foo.

In the primary authorization examples in Github for Azure AD I see good integration with Groups and Roles:

[Authorize(Roles = "Admin, Writer, Approver")]
public ActionResult TaskSubmit(FormCollection formCollection)
{
  if (User.IsInRole("Admin") || User.IsInRole("Writer"))
  ...
{

However there doesn't appear to be an example for Permissions. In this space, one would expect the ability to do (with a custom handler):

[Authorize(Policy = "task.submit")]
public ActionResult TaskSubmit(FormCollection formCollection)
{
    ...
}

Under the covers, [Authorize(Policy = "task.submit")] would call Azure AD to verify if the user has the task.submit permission. Azure AD would evaluate this internally through the users Groups and Roles and their access to the task.submit permission in the application configuration.

In this approach, the below changes (and more) could go into enforcement without requiring a code change:

• Permission changes to Admin and Writer removing their ability to submit tasks
• Assigning a Group permissions to submit tasks
• Assigning a new role with permission to submit tasks

Scopes

At first glance, Scopes appeared to provide these Permissions however it appears they are only usable in application to application. Users, Groups, or Roles cannot be assigned to a scope, and when an application requests a scope all users using the application receive that permission.

Is there the ability to do the above permission-based access with Azure AD?

Thanks!

Additional References:

• Keycloak Permission
• A better way to handle role permissions in ASP.NET Identity – IsInRole vs. HasPermission
• SO: How to implement Permission Based Access Control with Asp.Net Core

Does appRoles support transitive groups? appRole=>Group1HasMember=>Group2

Will members og Group2 would also get the appRole assigned to Group1?

Graph client library should be fixed now.

Does anyone know if there is a fork of this sample application for the Microsoft.NETCore.App 2.1.0 SDK (or other .NET Core version)?

If I update to anything never than 4.0.2.28 the test application will stop pulling roles from the AD.
I wonder if this is this an issue with JWT, this app or my Azure AD ?

I have logged on as Admin --- I can create tasks, but when I click on "About" I get the Directory Object Not Found; when I click on "Search for Users/Groups:" Error searching directory.
Thank you for your help with this problem.

I can logon as a Non- Admin --- and then get of course denied. So, I do not understand what is wrong. Tim:

I have been trying this sample out, but missing the DB. Can you help provide, when you get a chance?

connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=WebApp_RoleClaims_DotNet;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\WebApp_RoleClaims_DotNet.mdf;" providerName="System.Data.SqlClient"

https://social.msdn.microsoft.com/Forums/en-US/6ac283a9-03bf-48f9-b144-47c47c164b01/active-directory-authentication-sample-db-missing?forum=windowsazurewebsitespreview

Rgds
Omar

Works fine locally. I'm able to see the role assignments come through. But Can't get the app to log in a user when deployed to Azure.

Errors out with message:
AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided. Trace ID: f2dd722f-1017-4d28-92a9-1a243c62f020 Correlation ID: 3b525670-3b61-4f08-9e5b-410312813ac2 Timestamp: 2016-02-15 15:05:20Z

In order to access the appRoles when configuring the sample for single tenant, I needed to update a configuration property in Startup.Auth.cs. The property was RoleClaimType under TokenValidationParameters. The value out of the box was "roles". I updated this to "http://schemas.microsoft.com/ws/2008/06/identity/claims/role". It fixed the issue, but I'm checking that this was the correct action to take. Thanks.

when clicked on 'Tasks' tab, the actual functionality to test RBAC should appear. But the below error is shown:

Temporary shortcoming.

1. The property "origin" don't exist anymore like said in the issue#23
2. The roles are not working since weeks as mentioned in the issue#21
3. The sample here lack clarity and is outdated.

Microsoft seriously how do you think we can keep up with serious products and services when the specifications change all the time and features are removed without warnings.

• VS2013.4: The sample page says that it can be run in any tenant, but when I run the sample locally and log in with [email protected], I get this error:
  Additional technical information:
  Correlation ID: 0c3e4797-929e-47ed-9fd7-309e3e084e94
  Timestamp: 2015-09-30 21:45:28Z
  AADSTS50020: User account '[email protected]' from external identity provider 'live.com' is not supported for application 'd43fe016-2ce2-4686-ad31-9169be137d72'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
• VS2015: The HTTPS link won’t even work when I tried to test it locally.

Any ideas?

We are investigating Azure AD for our usage and love your example! Have a question on how to take this example from course level permissions to fine grain:

Admin: Has the ability to perform all actions, as well as manage the Application Roles.
Writer: Has the ability to create tasks.
Approver: Has the ability to change the status of tasks.
Observer: Only has the ability to view tasks and their statuses.

Right now this example consists of Course Grain permissions, ie. if your an Admin, Approver, or Observer, you have that access across all tasks. How could Azure AD be utilized to provide these access levels on each individual task (ie. resource)?

For example:

• User 1 could be assigned as an Approver for Task 1 but not Task 2
• Group 1 could be assigned as an Approver for Task 1 but not Task 2
• All Writer's are authorized Observer access to their created tasks

Coming from Keycloak usage, implementation references would be:

• Resource-based permissions
  or
• User-Managed Access (UMA 2.0)

Thanks!

I have a little sample SPA app working. It successfully talks to web api controllers decorated with [Authorize] but I don't know what else is needed to successfully make my app have controllers with [Authorize(Roles="CustomRole1")]

You can see more details about my specific question at this S.O. question

This sample expects application roles to be under "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" ClaimType, but Azure Active Directory returns roles under "roles" ClaimType.

can we use (https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims) Azure AD role based authorization for B2C tenant ?

I'm sure this isn't an issue with the app itself but I am unable to assign roles to users in either of the Azure management portal. I am using the Azure services with my MSDN subscription. Is RBAC only available with an enterprise subscription?

I'm struggling to follow your instruction on creating users/groups and assigning roles when following single-tenant track.
I've added the roles in the app manifest, but don't seem to have any option to assign a role in the Users tab of the application record in the Azure management portal.
Our Azure AD is synced from an on-premise AD so I haven't had to create a user first, if that makes any difference?

A screenshot or two of what you're looking at would be useful.

I feel like I must be missing something important, but I just cant see it

I've followed your instructions for the single tenant but I keep getting "You do not have sufficient priviliges to view this page." when I go to the tasks root. I've set it up twice now in two different azure accounts but still no luck

I've create a new user and assigned them to the Observer role, logged out and back in, but no luck.

The only step I wasn't sure about was the App ID URI, my tenant is the default "Default Directory", should the uri be "https://default_directory/tasktrackerwebapp"? Does it actually matter?

What can I do to debug the problem?

Thanks,
Fran

While following your sample code for single-tenant flow path, I get error while updating the manifest with suggested roles. It poops out at line "origin": "Application", And if I yank this line from json manifest, it works and able to upload.

Another concern is how can I add groups to roles instead of individual users in azure management portal? When I goto USERS tab of my application, it displays all existing AAD users, but not groups neither there is an option to add a new group and assign application role.

Am I missing something?

Thanks!

Nice example, but I have a question. You wrote that assignment of users through Microsoft Graph API. I have searched Graph API URLs or examples for a whole day and I did not find an example. My goal is to search all users from my application and then change roles by Graph API. I will be very grateful If you could help me eg. paste URLs from GRAP API or write where I should search.

Thanks!

I activated AAD authentication through the portal (along with FB and Twitter auth), as shown in this tutorial, and there's the option to view the user info at '.auth/me' endpoint, which is automatically created.
Activating AAD authentication in the application, like in this sample, Im not able to reach this endpoint, since it's created by App Service Authentication / Authorization. Is this possible to turn it on?

Sometimes while signing In,the application fails to redirect to my home page and the following page shows up.

Then I am stuck, not able to log out or sign in again. is there any workaround for this?

Temporary shortcoming.

My RoleClaimType is not getting set to roles when I am running in Azure and so when I put some logging, I found that OWIN is not getting called at all. What am I missing here?

Would this be helpful? Need to make sure graph permissions behave appropriately.

I created a new Azure subscription (free) and under the Default directory registered a new Cloud Service ASP.Net MVC Web Application. I also added a new user to the default domain. When I run the application everything works in the application connected with this Azure AD.
Now when I try to set permissions for Microsoft Graph I see no permissions there. And thats why my User.IsInRole and IsAuthenticated doesn't work.
Can you help ?

Hi,

I've been trying to fire up this sample before I commit to using this method in my own project but I'm having some problems making it work.

I just assumed I'd made a typo for the Uri but I've check and re-checked and my URI is definitely configured for:

https://applicita.com/TaskTrackerWebApp

If I but this Url into a browser and sure enough I get what looks like the IIS screen when you try to hit a asset which doesn't exist.

What else can I check ?

Thanks

Stacktrace for Reference:

[HttpRequestException: Response status code does not indicate success: 404 (Not Found).]
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +90216
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +496

[IOException: Unable to get document from: https://login.windows.net/https://applicita.com/TaskTrackerWebApp/.well-known/openid-configuration]
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +830
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +24 Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() +512 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52 System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +24
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +1332

Hi Guys,

I have followed the video on YouTube. I have followed blogs. And still no roles claim in my token. I do not know what I am missing. is this still supported?

I have:

1. Edited the Manifest file

"appRoles": [
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Test Role Description.",
			"displayName": "TestRole",
			"id": "2b5b00a6-699a-484e-a0f5-ea95b89bb959",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "testrole"
		}
	],

2. Add a user to that role for the application.
   

3. I am running the SignUpSignIn User flow manually to sign in and get a token.

Then when I decode the token, I do not see the roles claim.

Don't know what else to do. If anyone has any idea for me to try, will be grateful.

Thanks.

I want to use AntiForgeryToken and added the Attribute [ValidateAntiForeryToken] in the TaskController

    [HttpPost]

    [Authorize(Roles = "Admin, Writer, Approver")]

    [ValidateAntiForgeryToken]

    public ActionResult TaskSubmit(FormCollection formCollection)

    {
    .....

and the @Html.AntiForgeryToken() in the View

 using (Html.BeginForm("TaskSubmit", "Tasks", FormMethod.Post))

{

    @Html.AntiForgeryToken()

    <div class="container" style="padding-top:10px">

        <div class="row">
   ....

Unfortunately I get a System.InvalidOperationException: 'A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' was not present on the provided ClaimsIdentity.'
I have spent some hours to investigate this exception and to find some useful hints, how to aolve this issue.

The found a most poopular hint to add this line in the global.asax.cs ApplicationStart(), but it did not work

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;

I have 22 claims and one claim is "email: my mail address".

Any hints and suggestions solving my problem are welcome, Michael

Thought I saw this at some point....

I created this sample in my local and its authenticating fine, however when i deploy it to the Azure, although i am getting the claims, the Authorize attribute seems to not work and redirects me to the Authorization error page. I used the code to list the claims and i have them in the token.

P.S. The Active directory Authentication is enabled in Azure.

I tried to use this code from the GroupClaims sample:

    public static string AcquireToken(string userObjectId)
    {
        ClientCredential cred = new ClientCredential(ConfigHelper.ClientId, ConfigHelper.AppKey);
        AuthenticationContext authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance, ConfigHelper.Tenant), new TokenDbCache(userObjectId));
        AuthenticationResult result = authContext.AcquireTokenSilent(ConfigHelper.GraphResourceId, cred, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
        return result.AccessToken;
    }

But I keep getting the same exception with no useful information:

iisexpress.exe Information: 0 : AdalException was thrown with ErrorCode 'failed_to_acquire_token_silently'. Correlation ID: b513ba74-73f3-43a6-b49f-352adc9df9c8
A first chance exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll

However, if I modify it slightly using tenant GUID instead of tenant name then it works:

    public static string AcquireToken(string userObjectId)
    {
        ClientCredential cred = new ClientCredential(ConfigHelper.ClientId, ConfigHelper.AppKey);
        Claim tenantIdClaim = ClaimsPrincipal.Current.FindFirst(Globals.TenantIdClaimType);
        AuthenticationContext authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance, tenantIdClaim.Value), new TokenDbCache(userObjectId));
        AuthenticationResult result = authContext.AcquireTokenSilent(ConfigHelper.GraphResourceId, cred, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
        return result.AccessToken;
    } 

Why is that? the GroupClaims code works in the GroupClaims sample. I can't figure out what's different in the RoleClaims sample.