My current status: A user authorises himself in a .net Maui app via MSAL. The access token received is sent as a bearer header to the asp.net API.
if (_client.DefaultRequestHeaders.Authorization==null) _client.DefaultRequestHeaders.Add("Authorization", "Bearer " App.Token);
The API requires a role as authorisation.
group.MapGet("/", [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")][Authorize(Roles = "AD")] async Task<Results<Ok<List<Clients>>, NotFound>> (string ZIP Code) =>
The Maui App is registered in Azure AD "mobile device and desktop application". As a result, the returned access token does not contain then configured role. The role is only included in the ID token. Configuring the token via Optional Claims does not change the access token in any way.
I can read the role from the ID token in the .net Maui app, but how do I get the role into the access token before sending it to the API? Or is there a way to extend the header to include the role?
CodePudding user response:
Is the API registered separately in Azure AD? Roles are returned for the application the token is meant for. In this case if the API app registration does not have the roles then they won't be in the token.
In that case you need to either:
- Make one app registration for both the MAUI app and API app (and acquire access token for itself)
- Or you will need to add the same roles to the API app registration and set them to the user on both app registrations