2

I am writing a Blazorwasm application (ie. an API and a blazorwasm client) that

  1. Uses Azure Active Directory for authentication
  2. Uses custom role based authorization (eg. from a table users with user IDs (from Azure) and the custom roles in the app database)

Background: The reason I can't use Azure Active Directory for authorization, is that the Azure administrators are not willing to give the app the necessary Azure privilege to assign roles to users.

Conceptually, how do I do this?

Specific questions:

  • In the client I can check whether or not the user is logged in with Azure Active Directory from the JWT, but how do I also check which roles the user has, do I have to make the server create another JWT and keep track of two JWTs in the client?
  • 1
    Yes, have the server make another JWT. You don't need to keep track of both, only the one your server made. When making it, that's when you look for the Azure Active Directory JWT. You should be able to achieve this by adding Active Directory as an external login provider to [Asp.Net Core Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-5.0&tabs=visual-studio). – Andrew Williamson Jul 06 '21 at 00:00
  • 1
    This is how I mixed AAD authentication with authorisation defined in a table. I used an event to capture authentication, and after that, added _claims_ to the native authentication object. https://stackoverflow.com/questions/43343399/capturing-login-event-so-i-can-cache-other-user-information – Nick.Mc Jul 06 '21 at 03:02
  • @TheGeneral I made a request to my university's security team. The problem is that in Azure, the privilege to grant app roles to users gives the app the privilege to grant app roles for all apps in the tenant, ie. it can't be limited to my app, and they weren't okay with that. But I don't want the users of this app to have to contact IT support every time they want to grant faculty or students access to use the app. Does that make sense? –  Jul 06 '21 at 08:10
  • @AndrewWilliamson Can you show me an example of how to do this? –  Jul 19 '21 at 23:05

1 Answers1

0

You can create a custom AuthrizeFilter and put your code to authorise users from your local db, once the user authenticated from Azure AD then your authorise filter should check for the roles.

Darshani Jayasekara
  • 561
  • 1
  • 4
  • 14
  • Can you provide some more detail? What goes on in the aspnet backend and what goes on in the blazor frontend? –  Jul 20 '21 at 22:17