-
Notifications
You must be signed in to change notification settings - Fork 53
Conversation
1. Updating the code so that the controller checks that the client has the role `access_as_application` 2. Explains how to direct Azure AD to not even issue a token for client which would not be approved to get a token for the protected Web API.
Also fixes #35 |
Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope"); | ||
if (scopeClaim != null) | ||
Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("roles"); | ||
if (scopeClaim == null || (scopeClaim.Value != "access_as_application")) | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some duplicate code, consider adding a function (ValidateRoleClaim) for this authz check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @henrik-me. Will address in later commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ve added a manual step on the powershell to set 'User assignment required' and to grant admin consent to the tenant.
LGTM
access_as_application