question

PakoPorras-1857 avatar image
0 Votes"
PakoPorras-1857 asked ·

Azure active directory same appRoles and users in two apps

Hello:

I have the following scenario. I have two apps registered in azure, one is a web site and another an api. I can login into the web site and I can do calls to the api using a JWT token.

Now I need to secure both apps. Both apps use the same roles and the same users. My first approach was to create approles in both manifests, and then add the users to each rol in each app registration.

Everything is working fine and I can use [Autorize(Roles="Admin")] in the controllers of the web site and in the methods of the Api.

But It's hard to mantain both approles and users in both applications. Each change in one app needs to be replicated in the other one. So my goal is to use only the approles and users of one of the app registrations.

Is that possible? Can I define for example approles and users in the api app registration and use them in the web site? How can I do that?

After the first login in the web site how can I update the user claims?
Now If I define roles and users only in api side when I check User.Identity.Claims roles aren't there, so I can't access to a page decorated with [Authorize(Roles="Admin")]. If a retrieve jwt token using the scope of the api I can see the roles inside the claims. How can I add jwt token claims into User.Identiy.Calims after login and then add them to each request inside the web site?

I can't use azure Groups, only appRoles.

My goal is to use the same roles and users in the web site and in the api but only definig them in one place.

Is that possible? Which is the best approach to do that?

Thanks

azure-active-directoryazure-ad-connect
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PakoPorras-1857


Please let us know if the reply below helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.


0 Votes 0 · ·

1 Answer

MarileeTurscak avatar image
1 Vote"
MarileeTurscak answered ·

App roles are very specific to each app and aren't really intended to be shared across apps. They're defined in the app registration manifest for the specific application. https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

You are better off assigning by group or by user.

This stack overflow thread goes over these options in pretty good detail. https://stackoverflow.com/questions/56487790/how-to-manage-azure-ad-app-roles-across-many-applications

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.