Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Provide an IAuthorizationFilter to filter accepted appRoles in web apis called by daemon apps #953

Closed
7 tasks
jmprieur opened this issue Feb 11, 2021 · 2 comments
Closed
7 tasks

[Feature Request] Provide an IAuthorizationFilter to filter accepted appRoles in web apis called by daemon apps #953

jmprieur opened this issue Feb 11, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@jmprieur
Copy link
Collaborator

jmprieur commented Feb 11, 2021
edited
Loading

Is your feature request related to a problem? Please describe.
The current version of microsoft-identity-web provides the RolesRequiredHttpContextExtensions.ValidateAppRole(HttpContext, String[]) Method to verify that the user authenticated in the web API has any of the accepted scopes.

This method must be called in the API methods you are implementing in web apis called by daemaons. In some situations this is a repeating activity with repeating code.

Describe the solution you'd like
Improve the situation by providing an IAuthorizationFilter decorator for API classes and methods like this:

[Authorize]
[RequiredAppRoles("admin", "writer")
public class HomeController : Controller
{
  /// ...
  public async Task<IActionResult> Action()
  {
  }
}

It should also be possible to provide the roles in the configuration

{
 "AzureAd" {
   // more settings
   "AppRoles" : "admin writer"
  }
}

then, you can reference it in the attribute:

[Authorize]
[RequiredAppRoles(RequiredAppRolesConfigurationKey = "AppRoles")]
public class HomeController : Controller
{
  /// ...
  public async Task<IActionResult> Action()
  {
  }
}

Additional context
Similar to #849, but for app roles (ClaimConstants.Roles et ClaimConstants.Role)

Todo

  • Understand if this is even necessary. Would the [Authorize(Roles="admin")] do the same? this is for roles of users, whereas here this is for daemon apps, but this might be the same underlying claims.

Depending on the outcome, if we want to do this:
@jmprieur jmprieur added the enhancement New feature or request label Feb 11, 2021
@jennyf19
Copy link
Collaborator

Update to use Policies

@jmprieur
Copy link
Collaborator Author

Fixed: #1742

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmprieur @jennyf19