Last active
September 26, 2019 00:55
-
-
Save mhagrelius/d73d8b2399ab55a8b1b71f4c61900a19 to your computer and use it in GitHub Desktop.
Workaround for Azure AD groups and Asp.Net Core Roles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| namespace Example | |
| { | |
| public class RoleClaimsTransformation : IClaimsTransformation | |
| { | |
| public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal) | |
| { | |
| var identity = principal.Identities?.FirstOrDefault(); | |
| if (identity == null) | |
| { | |
| return null; | |
| } | |
| var newIdentity = new ClaimsIdentity(identity.Claims, "Federation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "groups"); | |
| var newPrincipal = new ClaimsPrincipal(newIdentity); | |
| return Task.FromResult(newPrincipal); | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using Microsoft.AspNetCore.Builder; | |
| using Microsoft.AspNetCore.Hosting; | |
| using Microsoft.Extensions.Configuration; | |
| using Microsoft.Extensions.DependencyInjection; | |
| using Microsoft.AspNetCore.Authentication.AzureAD.UI; | |
| using Microsoft.AspNetCore.Authentication; | |
| namespace Example | |
| { | |
| public class Startup | |
| { | |
| public Startup(IConfiguration configuration) | |
| { | |
| Configuration = configuration; | |
| } | |
| public IConfiguration Configuration { get; } | |
| public void ConfigureServices(IServiceCollection services) | |
| { | |
| services.AddTransient<IClaimsTransformation, RoleClaimsTransformation>(); | |
| services.AddAuthentication(AzureADDefaults.AuthenticationScheme) | |
| .AddAzureAD(options => Configuration.Bind("AzureAd", options)); | |
| services.AddRazorPages(); | |
| } | |
| public void Configure(IApplicationBuilder app, IWebHostEnvironment env) | |
| { | |
| app.UseRouting(); | |
| app.UseAuthentication(); | |
| app.UseAuthorization(); | |
| app.UseEndpoints(endpoints => | |
| { | |
| endpoints.MapControllers(); | |
| }); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To get groups to be sent, your application manifest.json needs to be edited so that groupMembershipClaims is either "All" or "SecurityGroup". Additional permission changes may also be required so that graph data can be read by your application. For whatever reason, the group memberships sent from microsoft graph and/or azure ad do not use the default ClaimTypes.Role, this simplified workaround was tested using a server-side blazor application on ASP.NET core 3.0 RTM