Client credentials role claim type

[StevenDevooght]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API 4-WebApp-your-API
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

1. Aquire a bearer token using the client_credentials flow on the oauth 2.0 token endpoint (v2).
2. Use the acquired bearer token to call my api configured with the AddProtectedWebApi extension method.

Expected behavior
To have a valid claims principal identity at this point.

Actual behavior

Neither scope or roles claim was found in the bearer token. exception is thrown in WebApiServiceCollectionExtensions.cs

Possible Solution
Allow http://schemas.microsoft.com/ws/2008/06/identity/claims/role as valid scope claim type?

Additional context/ Error codes / Screenshots

I followed this stackoverflow answer to add application permissions to my .default scope. I can verify that the role claim is present in the claim collection, but is has http://schemas.microsoft.com/ws/2008/06/identity/claims/role as claim type. In ClaimConstants.cs role is defined as type.

Any log messages given by the failure

Add any other context about the problem here, such as logs.

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

of ASP.NET Core, of MSAL.NET

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue?
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[jmprieur]

@StevenDevooght
If you are interested in Web API called from daemon applications, please have a look at the following sample: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi

Also please read: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration#if-your-web-api-is-called-by-a-daemon-app and https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles#verifying-app-roles-in-apis-called-by-daemon-apps

[TiagoBrenck]

@StevenDevooght I couldn't reproduce the error. I changed the TodoListScope for /.default instead of access_as_user and the application ran fine.

[StevenDevooght]

I forgot to uncomment 🤦‍♂️
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;