基于范围/角色的 Azure AD B2C 授权支持

Question

We want to achieve an authorization at our APIs.

Ex. We have API-A and API-B and both are exposed to our different consumers.

We have setup of scope based authorization in place with IdentityServer4 where we decorate endpoints with different policies. With IdentityServer4 we are able to achieve this as IdentityServer4 token has scopes claims present in all the grant types but with Azure AD, we found we can't have scope claim in token generated with Client Credential flow.

In our case, Web API B is also exposed to consumers and again they have scope based authorization. To call, Web API B from Web API A we use client credential flow and it will not have scopes claim in token so we are not able to authorize our call to Web API B.

How to achieve scope based authorization with Azure AD in microservices architecture where we call other context APIs from one context.

Answer 1

1. When you are using client credential flow and using application permission , you get roles and not scope ie; scp claim in the token.
2. Application permissions are sort of roles given to the application itself and the scope in client credentials should be used as api://<APP_ID>/.default . They only apply when doing client credentials authentication, where no user is involved . See quickstart to configure app access web-apis
3. Scopes are usually delegated permissions that only apply when a user is involved in the login process. They allow you to act on behalf of a user ie; In the user context only, we will get scp claims in case of client credential flow.

See azure-ad-scope-based-authorization

• So , If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.

• As scopes in expose an api page are for Authorization Code Grant flows and where the user is involved, in this case (client credential) its not possible, we have to add our own scopes that is availible for applications to use which are indirectly called roles that we need to add in the manifest itself under approles in the app registration or through the app roles blade.

ex:

 {
      "appRoles": [
      {
         "allowedMemberTypes": [
            "Application"
          ],
          "displayName": "Read all todo items",
          "id": "f8dxxxxxxxxxxxxf98",
          "isEnabled": true,
          "description": "Allow the application to read all todo items as itself.",
          "value": "Todo.Read.All"
        }
      ]
    }

After that , those has to be granted admin consent.

So now when requesting a token with a default scope of api://<app id>/.default the "scopes" are returned in the roles claim.

So we can use role claim for authorization purpose.

Also as a work around

Try to make sure to add additional scope like profile , offline_access open_id . And give response_type=token instead of id_token

Example request:

......&redirect_uri=https://jwt.io&scope=openid profile offline_access&response_type=token&prompt=login

References:

1. Scope-based authorization in your API with Azure AD – the IT generalist (wordpress.com)
2. Scope is not being added to Access Token returned from Azure Ad - Stack Overflow

EDIT:

1. To call a web api from other , there need to be scopes defined in one api ie (api2 that you want to call) and those scopes need to be selected in calling api(api1) . Please go through the process here
2. When login in first Api include scope in the request and also try response type as Token and see if scp available or then with idtoken https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TenantSignUpIn&client_id=<appid>&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline profile https://tenant.onmicrosoft.com/b2capi/write https://tenant.onmicrosoft.com/b2capi/read https://tenant.onmicrosoft.com/b2capi/user_impersonation&response_type=id_token&prompt=login .

Please note that scopes are present as roles depending on the flow type.