.NET 5.0 protected web API - verify scopes or app roles in a single action

[HomerBart]

I am creating a new .NET 5.0 web API that will have actions that need to be called by both applications on behalf of users and by daemon applications. For a single action can Microsoft.Identity.Web be used to verify the scopes (if the action has been called on behalf of a user) or app roles (if the the action is called by a daemon application)? Also is there any documentation or sample code that demonstrates how to do this?

All the documentation I've read so far only seems to cover the scenarios where a single action is called either on behalf of a user or by a daemon application but not both.

I think this question is similar to the issue How to verify scope or app role in the same controller action, however that issue has been closed and doesn't really answer the question.

Thank you

[jmprieur]

@HomerBart
You could use a combination of extension methods, including using them in conditions.

public async Task<IActionResult> Action()
 {
   HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByAPI);
   HttpContext.ValidateAppRole("acceptedRole1");
 }

Does it work for you?

[HomerBart]

Thanks for the quick reply @jmprieur. Yes that would work for us, although how can I check if the call was made on behalf of a user or from a daemon app. Does Microsoft.Identity.Web provide an API for doing this or do I need to dig into the properties of the token?

[jmprieur]

I think that this piece of the doc will help you: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore#accepting-app-only-tokens-if-the-web-api-should-be-called-only-by-daemon-apps

string oid = ClaimsPrincipal.Current.FindFirst("oid")?.Value;
string sub = ClaimsPrincipal.Current.FindFirst("sub")?.Value;
bool isAppOnlyToken = oid == sub;

@hpsin, can you please confirm that this is (still) true?

[HomerBart]

Hi @jmprieur and @hpsin,

I've tried the code provided and it doesn't seem to work. ClaimsPrincipal.Current returns null. Since I'm using .NET 5, I've tried using User.Claims instead, however there are no claims whose type is "oid" or "sub". I do see claims with types "http://schemas.microsoft.com/identity/claims/objectidentifier" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier". Are these the claims I need to check?

Thank you.

[jmprieur]

Yes. @HomerBart.
depending on the accepted token version of your web API (in the app registration), you'll get v1 (long) claims or v2 (short) claims
With Identity.Web you should use User.GetObjectId() to get the oid or object identifier. We are working on accessors for all the claims (AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1829). For the moment, you'd want to test for both sub and nameidentifier. The mapping is available from https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/jmprieur/ClaimsMappingImprovement/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md

[jmprieur]

@HomerBart : are you using ASP.NET Core ? or .NET 5.0+ ?
In which case you should use HttpContext.User

[julealgon]

@jmprieur did you check this part of his post?

Since I'm using .NET 5, I've tried using User.Claims instead, however there are no claims whose type is "oid" or "sub". I do see claims with types "http://schemas.microsoft.com/identity/claims/objectidentifier" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier". Are these the claims I need to check?

I'm also interested in knowing about those claims since I'll be attempting doing this same check tomorrow.