Role information of the logged in user

[peterfeng-hub]

Core Library

@azure/msal-browser

Core Library Version

2.13

Wrapper Library

Not Applicable

Wrapper Library Version

2

Description

How do I get the roles information of the logged in user, please?

The reason is that I'm using "roles" value of the logged in user to determine if the user is authorized to access the protected backend resource.

I was hoping to find the "roles" claim in the payload of the decoded access token, but it seems there is no such property there.

My backend resource's api is published in Azure API Management where a "validate-jwt" policy has been added to validate the access token in the request header to check if there is the correct roles claim value.

MSAL Configuration

const msalConfig = {
    auth: {
        clientId: "my_client_app_id",
        authority: "https://login.microsoftonline.com/<my_tenant_id>"
    },
    cache: {
        cacheLocation: "sessionStorage"
    }
}

Relevant Code Snippets

No response

Identity Provider

Azure AD / MSA

Source

External (Customer)

[derisen]

@peterfeng-hub can you confirm that the signed-in user has been added to any roles? To make sure, you can follow the guide: Add app roles to your application and receive them in the token. For a code sample, see React SPA using App Roles.

[peterfeng-hub]

Thanks @derisen for the instructions!

I inadvertently added the app roles to the backend resource api, as opposed to the client app, which explained why I couldn't find the roles information.

Also I found that the roles claim information exists in the idToken's payload only. The accessToken 's payload does not have the roles information. Is it designed that way?

[derisen]

@peterfeng-hub no worries! Can you decode your access token over at jwt.ms? You should be seeing the roles claim in the decoded token.

[peterfeng-hub]

Thanks for the quick turnaround, @derisen .

Please see the decoded accessToken. I can't find roles claim in it. However if I decode the idToken, both 'roles' and 'groups' claims could be spotted.

[derisen]

@peterfeng-hub ah, my bad : ) The token you show is meant for MS Graph. You should check the token meant for your web API (scp claim will have your web API's scope and no other), provided that you assign users on your web API's app registration as shown below:

[derisen]

I inadvertently added the app roles to the backend resource api, as opposed to the client app, which explained why I couldn't find the roles information.

@peterfeng-hub just to make sure, you were on the right track here -roles should be added to both client and backend apps.

[peterfeng-hub]

This is becoming interesting @derisen .

For the backend resource api, I have added a couple app roles to it and assigned those roles to the user that I use to sign in.

The accessToken would not have any roles claim after being decoded IF I do not specify any scopes using the msalInstance.loginPopup() to sign in.

async function logIn() {
    try {
        const loginResponse = await msalInstance.loginPopup({
            // scopes as below commented out.
            // scopes: ["api://c077e0c9-c346-4e02-851b-d2e7fc205895/peter.scope2", "api://c077e0c9-c346-4e02-851b-d2e7fc205895/peter.scope1"],
            redirectUri: "http://localhost:3000/blank.html"
        })
        return loginResponse
    } catch (error) {
        console.log(error)
    }
}

However, if I do specify the scopes by decommenting the scopes line, the decoded accessToken would indeed have the roles claim value.

[derisen]

@peterfeng-hub that's expected. You are requesting an access token for your web api during login (based on the scopes you pass). If you don't, you'll just get a AT for MS Graph (with default scopes openid etc). So the roles claim will appear only in ATs meant for your web api, not any other resource (aud and scp claims tells you which resource the AT is meant for). Just to mention, you can also get the AT using acquireToken* API.