问题
I have a web site that calls an API. To call the API from the web site I'm getting first a jwt token using GetAccessTokenForUserAsync(scope).
My problem is that this method doesn't retrieve user's roles inside the jwt token. My user.identity.claims has a few roles but they are not include in the jwt token.
What I'm missing?
I'm to trying to including the roles in the jwt token because I need to secure my api methods. For example, a method can be called only by AdminMember, other method only can be called by SpecialMember.
Is there another way to secure my api without sending my user's roles?
Thanks
回答1:
Since the roles are defined in your client app's registration, they will only be available in its tokens.
So, there are fundamentally two options:
- Define the same roles in the API app registration as well. You will need to assign the roles on that app as well to the users. This could be made easier by using groups for the role assignments.
- Change the API to use the same app registration. Now you will get the roles in the access token. Using one app registration can mean violating least privilege since then any permission you want to give to either the API or client app will be given to the other as well.
Depending on your case, you can choose either option :)
来源:https://stackoverflow.com/questions/62264921/azure-ad-securing-api-getaccesstokenforuserasync-not-include-claims-roles