microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] (maybe) missing roles

Open AnthonyGiretti opened this issue 1 year ago • 3 comments

Library version used

8.0.0

.NET version

.NET 8

Scenario

WebSite

Is this a new or an existing app?

None

Issue description and reproduction steps

Roles are missing in the JWT. I upraded form the version 3.2.1 and that version brought automatically roles in the JWT. I tried to add myself roles with the code snippet below without success. How to get roles in the version 8.0.0 ?

Relevant code snippets

options.ProviderOptions.DefaultAccessTokenScopes.Add("roles"); // Not working
options.ProviderOptions.AdditionalScopesToConsent.Add("roles"); // Not working

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

AnthonyGiretti avatar Jan 08 '24 20:01 AnthonyGiretti

@AnthonyGiretti : the roles claim is directed by the service (Microsoft Entra), not by the app. See https://learn.microsoft.com/entra/identity-platform/enterprise-app-role-management

jmprieur avatar Jan 09 '24 00:01 jmprieur

Thanks.

Can you clarify ? I already setup roles in Entra Id. With the Msal version 3.2.1 they show up in the JWT, they don’t anymore in the version 8.0.0. In OAuth , you are supposed to request the roles by adding scopes such as « openid roles » in the GET call for OIDC authentication, in the SDK here my options, but none are working:

image

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Mon, Jan 8, 2024 at 19:54 Jean-Marc Prieur @.***> wrote:

@AnthonyGiretti https://github.com/AnthonyGiretti : the roles claim is directed by the service (Microsoft Entra), not by the app. See https://learn.microsoft.com/entra/identity-platform/enterprise-app-role-management

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4489#issuecomment-1882097375, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JYPSNMGA2AZO2MCMNTYNSINXAVCNFSM6AAAAABBSBF2DCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBSGA4TOMZXGU . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4489/1882097375 @github.com>

AnthonyGiretti avatar Jan 09 '24 14:01 AnthonyGiretti

For now, I have to keep version 3.2.1 which is deprecated to keep roles in the JWT.

AnthonyGiretti avatar Jan 09 '24 22:01 AnthonyGiretti