Can't Get Blazor WASM AAD App Roles To Work

Question

So I've kicked things off by following Microsoft docs:

Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory

Azure AD Groups, Administrative Roles, and user-defined roles

It seems to be setup fine on Azure's side of things:

This works fine:

@page "/clients"
@inject NavigationManager navigationManager
@inject HttpClient Http
@inject AppData appData
@inject AuthenticationStateProvider AuthenticationStateProvider
@attribute [Authorize]

I've printed the claims to see what's happening:

protected async override Task OnInitializedAsync()
{
    var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
    var user = authState.User;

    foreach (var claim in user.Claims)
    {
            System.Diagnostics.Debug.WriteLine(claim.Type + ":" + claim.ValueType + ":" + claim.Value);
    }
}

This is one of lines printed:

roles:http://www.w3.org/2001/XMLSchema#string:["Admin"]

So I can see that the appRole I added in the app manifest on Azure got here. (GUIDs Hidden below for privacy)

"appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Can view everything.",
            "displayName": "Global Viewer",
            "id": "IDGOESHERE",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "GlobalViewer"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Admins can access restricted areas.",
            "displayName": "Admin",
            "id": "IDGOESHERE",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "Admin"
        }
    ],

Also added my user to the Admin role on Enterprise Applications.

However adding the role in [Authorize] attribute directive makes me lose access to page: (You are not authorized to access this resource.)

attribute [Authorize(Roles = "Admin")]

This is in Program.cs (I have actual GUIDs in "GUIDGOESHERE")

builder.Services.AddMsalAuthentication(options =>
{
    builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
    options.ProviderOptions.DefaultAccessTokenScopes.Add("GUIDGOESHERE/EmployeesAccess");
    options.ProviderOptions.DefaultAccessTokenScopes.Add("GUIDGOESHERE/AdminAccess");
    options.UserOptions.RoleClaim = "roles";
});

The problem may be in my role claim. Maybe the problem is this claim looks like an array? If so how do I fix it?

Answer 1

Turns out Azure may be a little ahead of ASP.NET Core

The Azure AD authentication default template doesn't work out of the box, it needs a little tweaking.

Follow the steps in MS docs here: Azure AD Groups, Administrative Roles, and user-defined roles

Long story short:

• It works out of the box with a single role. eg "Admin"
• The problem is having multiple roles.
• The "roles" claim arrive as a string "[Admin,User]" which fails to match "Admin" or "User"
• The CustomUserAccount class breaks the roles into a string[] object which solves the problem.
• Microsoft did a good job documenting the workaround. (link above)