Skip to content

[Documentation] How to verify scope or app role in the same controller action #963

New issue
New issue
Closed
#1011
Closed
[Documentation] How to verify scope or app role in the same controller action#963
#1011
Labels
documentationImprovements or additions to documentationfixed
Milestone
1.7.0
@obryckim

Description

@obryckim
obryckim
opened on Feb 12, 2021

Documentation related to component

Web APIs

Please check all that apply

  • typo
  • documentation doesn't exist
  • documentation needs clarification
  • error(s) in the example
  • needs an example

Description of the issue

I have a web API that is called by BOTH daemon apps (client credential flow) as well as by other apps on behalf of the user.
In versions of Microsoft.Identity.Web prior to 1.6.0, you had to use the VerifyUserHasAnyAcceptedScope extension method on the HttpContext to check for user scopes and the ValidateAppRole extension method to check for app roles.

With this method, we could check scopes or roles based on the token:

// controller method
public async Task<ActionResult<IEnumerable<WidgetDto>>> GetAsync()
{
    this.ValidateUserScopesAndAppRoles(
        new[] { UserScopes.ReadWidgets, UserScopes.ReadWriteWidgets },
        new[] { AppRoles.ReadWidgets, AppRoles.ReadWriteWidgets });
    
    // ...
    return this.Ok(widgetDtos);
}

// method to validate based on user or daemon app
private protected void ValidateUserScopesAndAppRoles(string[] userScopes, string[] appRoles)
{
    // determine if the token is an app-only token or a user token
    var objectIdentifier = this.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
    var subject = this.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
    var isAppOnlyToken = objectIdentifier == subject;

    // if the token is an app-only token, validate the app roles
    // otherwise, verify the user scopes
    if (isAppOnlyToken)
    {
        this.HttpContext.ValidateAppRole(appRoles);
    }
    else
    {
        this.HttpContext.VerifyUserHasAnyAcceptedScope(userScopes);
    }
}

Now that the VerifyUserHasAnyAcceptedScope is obsolete and we should be using the RequiredScope attribute, how can I still allow an api controller method to be called by both users (with scopes) and applications (with app roles) and verify them based on the token type?

If an app calls the method with the RequiredScope attribute, it throws an UnauthorizedAccessException.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationfixed

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions