access role claim from asp.net core web application calling web api

Question

I created two app registrations one for Web App and one for Web API. I defined 2 app roles ToDoList.Read and ToDoList.ReadWrite in app registration created for Web API. I configured Web App to use Entra Id authentication and then call Web API app as a signed in user.

I assigned user 1 to reader and user 2 to readerwriter. I'm able to authorize APIs as per the user roles assigned. I need to read user role claims in Web App to be able to manage operations within ToDoList screen. But, I'm not able to read role claims in web app. It could be due to no App Roles defined in App Registration defined for Web App. But, I don't want to maintain app roles in 2 app registrations.

I followed the steps given in below azure sample documentation and running the sample code provided by Microsoft.

https://learn.microsoft.com/en-us/samples/azure-samples/ms-identity-ciam-dotnet-tutorial/ms-identity-ciam-dotnet-tutorial-1-call-own-api-aspnet-core-mvc/

Can you please let me know what might be the issue in reading user role claims in Web App and also suggest what is the best way to implement user role-based authorization in web applications which calls web api?

Answer 1

Hello @Naga Jagadeesh Budha ,

Thank you for your Prompt Response.

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: access role claim from asp.net core web application calling web api

Solution:

1. added two app registrations one for web app and one for web api
2. defined app roles in the app registration for web api
3. Assigned app roles to user from Enterprise applications
4. Added a new controller "UserRoleController" in web api and added a get method to read user roles and return
5. Called downstream UserRoles API from web app to read the roles.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Regards,

Goutam Pratti.

Answer 2

It sounds like you're facing a common challenge with managing app roles across multiple app registrations. Here are some suggestions to help you read user role claims in your Web App without duplicating roles in both app registrations:

Solution: Use API Permissions and Token Configuration

Configure API Permissions:

• In the Azure portal, navigate to the app registration for your Web App.
  • Under "API permissions," add the necessary permissions for the Web API. Ensure that the roles ToDoList.Read and ToDoList.ReadWrite are included.
• Update Token Configuration: In the app registration for your Web API, ensure that the roles are included in the token configuration. Navigate to "Token configuration" and add the roles claim.
• Modify Web App Code: Ensure that your Web App is configured to read the role claims from the token. Here is an example of how to read the role claims in your ASP.NET Core application:

var userRoles = User.Claims .Where(c => c.Type == "roles") .Select(c => c.Value) .ToList();