Azure AD - 如何验证下游 API 中的角色

Question

I have a web app that authenticates users and calls a downstream web API as described here . In my case, it's an MVC website, to an AWS Lamba Function. Currently, my MVC website has both authorization and authentication but the Lambda Function only has authentication as I'm not sure about the best approach to perform authorization on the backend.

I currently see two possible solutions, have the website include the roles in the access token, or have the Lambda Authorizer fetch the roles from Azure AD. I'm leaning towards the first solution as it seems the simplest, however, I'm not sure how to include the roles in the access token as it currently doesn't have any.

Can anybody tell me which approach is recommended, and perhaps included some resources on how to do it.

string accessToken;
try
{
    accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _lambdaAuthoriserScope });
}
catch (Exception)
{
    Console.WriteLine("Failed to get access token");
    throw;
}
_client.DefaultRequestHeaders.Add("IdToken", accessToken);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
_client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

Thanks, Adam

Answer 1

In general, claims in an access token is controlled by the resource that will consume that access token. In your case the resource is the AWS Lambda Function, that means it dictates what sort of claims it needs in the access tokens that it will accept. So you should define these roles in the app registration that you use with the Lambda Function (not sure how you are doing that). This tutorial covers role-based authorization for client-app-calls-web-API scenarios.