Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Feature Request] AuthorizeForGroups and AuthorizeForRoles HttpContext extension methods
See original GitHub issueI think it would be great, if Microsoft.Identity.Web provided two extension methods - AuthorizeForGroupsAsync(string[] groupIds, bool useAppOnly = false) and AuthorizeForTenantRolesAsync(string[] roleIds, bool useAppOnly = false).
AuthorizeForGroupsAsync
I am well aware that the token from AAD can contain groups, but the limit is 200 (my work account is member of 200+ unfortunately) and transitive membership is not considered.
The method would be an extension for HttpContext like ValidateAppRole and would either output the group ids the user is member of or an UnauthorizedAccessException. The limit for checkMemberGroups is 20 so this would be the limit for the input length.
AuthorizeForTenantRolesAsync
This would allow to easily enable only for example tenant admin access into the application. The input is a list of roleTemplateIds as per this list provided as a built-in enum with support to specify custom directory roles as well (maybe add this in future). Behind the scenes. we list the roles and check the current user’s objectId against its members.
Implementation
- Since it would call Microsoft Graph behind the scenes, it would probably be best to bundle this with MicrosoftGraph package instead of making it directly into Microsoft.Identity.Web.
- I would consider making this both a regular extension method and an attribute for use within Web Apps. The extension method is important when you want to do your custom RBAC based on groups listed in a database. The attribute can be helpful if you want to only let tenant admins access a specific Area of the application.
bool useAppOnlyas an optional parameter would make it easier to work with client_credentials scenarios, where user isn’t granted access to the specified scopes, since incremental consent may not be the best approach for this (I have always usedhttps://graph.microsoft.com/.defaultto obtain the token for this use, since you don’t always know which of the required scopes is actually assigned to the application).
I already have implemented something similar in the past, so if we agree on where it should be located (eg. MicrosoftGraph package), I am perfectly fine with implementing this. I have done a very small POC in a private project already and it works just fine.
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I have a created a draft pull request with initial work so you can follow it there. I will also add the attributes and should be good to go. I will probably need help with writing tests, since I suppose your test tenant is off access.
Thanks @hajekj seems related to this issue