Slight modification needed in Startup.cs for Blazor web site using .Net Core 5.0 and microsoft.identity.web #10
Description
You MyCode is great, but I found in my testing to access roles using Azure and AzureAD that I had to modify the RequireClaim to look at the type "roles" to get the hit. Also, what was interesting in testing with IISExpress the roles never showed up in the Claims collection, so I just looked for my email address in preferred_username.
MyCode => Blazor server website using AzureAD authentication with roles defined in the clientID and setup in the enterprise clientID. Using microsoft.identity.web and .Net Core 5.0.
Gary
public class RoleLevel
{
public const string SUBMITTERS = "Submit";
public const string READERS = "Reader";
public const string CONFIGURERS = "Configure";
public const string ADMIN = "Admin";
}
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
bool isProduction = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Production";
bool isPPE = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "PPE";
services.AddAuthorization(options =>
{
if (isProduction || isPPE)
{
options.AddPolicy(RoleLevel.SUBMITTERS, policy => policy.RequireClaim("roles", RoleLevel.SUBMITTERS));
options.AddPolicy(RoleLevel.READERS, policy => policy.RequireClaim("roles", RoleLevel.READERS));
options.AddPolicy(RoleLevel.CONFIGURERS, policy => policy.RequireClaim("roles", RoleLevel.CONFIGURERS));
options.AddPolicy(RoleLevel.ADMIN, policy => policy.RequireClaim("roles", RoleLevel.ADMIN));
}
else
{
options.AddPolicy(RoleLevel.SUBMITTERS, policy => policy.RequireClaim("preferred_username", "gawood@x.com"));
options.AddPolicy(RoleLevel.READERS, policy => policy.RequireClaim("preferred_username", "gawood@x.com"));
options.AddPolicy(RoleLevel.CONFIGURERS, policy => policy.RequireClaim("preferred_username", "gawood@x.com"));
options.AddPolicy(RoleLevel.ADMIN, policy => policy.RequireClaim("preferred_username", "gawood@x.com"));
}
});