Share via

access role claim from asp.net core web application calling web api

Naga Jagadeesh Budha 0 Reputation points
2025-01-06T05:38:54.27+00:00

I created two app registrations one for Web App and one for Web API. I defined 2 app roles ToDoList.Read and ToDoList.ReadWrite in app registration created for Web API. I configured Web App to use Entra Id authentication and then call Web API app as a signed in user.

I assigned user 1 to reader and user 2 to readerwriter. I'm able to authorize APIs as per the user roles assigned. I need to read user role claims in Web App to be able to manage operations within ToDoList screen. But, I'm not able to read role claims in web app. It could be due to no App Roles defined in App Registration defined for Web App. But, I don't want to maintain app roles in 2 app registrations.

I followed the steps given in below azure sample documentation and running the sample code provided by Microsoft.

https://learn.microsoft.com/en-us/samples/azure-samples/ms-identity-ciam-dotnet-tutorial/ms-identity-ciam-dotnet-tutorial-1-call-own-api-aspnet-core-mvc/

Can you please let me know what might be the issue in reading user role claims in Web App and also suggest what is the best way to implement user role-based authorization in web applications which calls web api?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,802 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pradeep Rao 0 Reputation points
    2025-01-07T08:19:43.29+00:00

    It sounds like you're facing a common challenge with managing app roles across multiple app registrations. Here are some suggestions to help you read user role claims in your Web App without duplicating roles in both app registrations:

    Solution: Use API Permissions and Token Configuration

    Configure API Permissions:

    • In the Azure portal, navigate to the app registration for your Web App.
      • Under "API permissions," add the necessary permissions for the Web API. Ensure that the roles ToDoList.Read and ToDoList.ReadWrite are included.
    • Update Token Configuration: In the app registration for your Web API, ensure that the roles are included in the token configuration. Navigate to "Token configuration" and add the roles claim.
    • Modify Web App Code: Ensure that your Web App is configured to read the role claims from the token. Here is an example of how to read the role claims in your ASP.NET Core application:

    var userRoles = User.Claims .Where(c => c.Type == "roles") .Select(c => c.Value) .ToList();

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.