AzureAD
Role claim type not set to 'roles'
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
3.5.0
Web app
Sign-in users
Web API
Not Applicable
Token cache serialization
Not Applicable
Description
I have added authentication to an ASP.NET Core Blazor application (net9.0) like this:
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, configSectionName: "Azure:Entra");
In my Razor components I can authenticate users adding the [Authorize] attribute.
However, User.IsInRole does not work, as it apparantly looks for claims with the type http://schemas.microsoft.com/ws/2008/06/identity/claims/role.
Roles in the principal are actually in the roles claim.
- Shouldn't this be set to the correct value by default?
- Is there a way to override this?
Reproduction steps
- Create a new Blazor app
- Configure authentication with
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration)inProgram.cs - Add
[Authorize]to a component, and verify only authenticated users have access. - Add a role to the attribute
[Authorize(Roles = "Whatever")]and make sure the user has this role assigned in Microsoft Entra. - Observe the user is now denied access, even though the role is included in the
rolesclaim.
Error message
No response
Id Web logs
No response
Relevant code snippets
See above.
Regression
No response
Expected behavior
The role claim type should be set correctly by default.
Please read this: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles
We could change the roles claims, but that's a breaking change. We can take this for IdWeb 4.
@jmprieur can we get the code here added somewhere to the documentation? This was a nightmare to track down.
