I have the following scenario. A web site and an API. I need to have communication between both sites.
I login in the web site against azure active directory using OpenIDConnect and I can communite with the API using a JWT token.
Now I want to protect my sites using appRoles. I can do that definig the appRoles in the manifest of both apps and then adding users to these roles in both app registrations. When I login in the web site I can see the roles in User.Identity.Claims. And If I retrieve the JWT token of the API I can see also the appRoles defined in the API app registration.
My problem is that I need to add the users and define the appRoles in both sites. I want to use the same users and roles in both sites, so It's a problem if I have a lot of users and roles. If I want to remove a user from the web siite I need to do the same change in the api site.
So my question is how can I use the same appRoles in both applications and only define appRoles and add users in one place. I can't use Groups, only appRoles.
I don't know if it's possible to define appRoles and users for each role only in the API app registrartion and themn retrieve this appRoles in the web site after a user login (so the User.Identity.Claims will be populate with the same appRoles that I can see in the JWT token)
The goal is to use in my web site [Autorize (Roles="Admin")] in the controllers and also use [Autorize (Roles="Admin")] in the API methods, but the appRole Admin and role's users are only defined in the API app registration.
Which approach is the best to get this goal?
Thanks in advance