Use roles with custom authentication provider

[Skleni]

Is it possible to access a user's roles when using a custom authentication provider like Auth0? I would have expected that I can configure the provider so that the tokens contain the roles, but I couldn't find any documentation on it. After reading #429 I'm not sure anymore, is this not supported?

I wouldn't even need the built-in SWA roles to work, but without a possibility access additional claims, I can't implement it myself either.

[mkarmark]

Currently we do not support this but we are doing some work currently to improve our roles story. We can definitely consider doing something like this.

[Skleni]

That would be great. I understand this is a rather new technology and I really like the idea of SWAs. They would be a great fit for a lot of our applications. but things like this or the ability to link function app slots to environments are essential to be able to use them productively.

[AverageCakeSlice]

Just stumbled across this thread and would like to reiterate the point @Skleni brought up. I would really like to implement this in my application so we can fully utilize Auth0 (or just use another provider to get around the 25 users on custom roles limit), but it doesn't seem to be supported yet.

[adrwh]

Hi thanks for this article. I am sending a custom claims in the openid auth app from Okta. I can access those claims when using Okta SDKs and typical ExpressJS apps, but how can I access them in SWA?

[anthonychu]

We'll be releasing a feature shortly that will give you the opportunity to access the claims provided by the identity provider and map them to custom roles in Static Web Apps.

@adrwh @AverageCakeSlice @Skleni Can you describe in more detail what you'd like to do with the claims?

[adrwh]

Hi @anthonychu I want to use them for simple authorization and role based access. In my users Okta app profile i will set a custom key/value, string attribute, eg "Role = Admin", and add that to the claim. Then in my existing express based app, i can authenticate the user using the Okta SDKs and retrieve that custom attribute from the access token, then use it in access to routes.

I can obviously use the Okta SDKs in my Azure Static app to achieve the same result, however I would love to simply use the built-in Custom Open Id authentication, and retrieve the attribute, and have it attached to the user context, so that i can use it in my app.

[anthonychu]

@adrwh Looks like the feature we're working on should work for you. We'll update this thread when it's ready, hopefully in a couple of weeks.

[AverageCakeSlice]

@anthonychu pretty much exactly what @adrwh said. It sounds like you guys are already working on it though. Right now I have a really convoluted role-checking service. I'd ideally like to be able to use the custom roles to prevent function execution using something like allowedRoles: ['administrator', 'member', 'guest'] which would be retrieved from the claim. As it currently stands, I have to allow the function to execute, and return a UnauthorizedResult if my role service checks fail, after looking up the user's role information in my DB.

[Skleni]

@anthonychu We have a similar situation as well. We're using Auth0 for the user management and we'd like to manage the roles there as well. At the moment the role assignments are stored in our database and we have to look up the current user's roles on every function execution. This could be avoided if we were able to add them to the claims.

[anthonychu]

Here's the newly released feature that allows you to programmatically assign roles. I think it should unblock the scenarios in this thread. See the documentation for more details. There's also a tutorial with a sample app.

[adrwh]

Thank you @anthonychu, read the docs, looks like it will work, i'll try this soon.

[adrwh]

Hi @anthonychu i have set this up now, but i am guessing we won't be able to debug the GetRoles function using the local auth emulator?

[anthonychu]

Not yet. We’re still thinking about the best way to do this.

For now you can do 2 things:

• Call the auth function locally with something like Postman to ensure it responds with the right roles given an input.
• Use the local emulator to set custom roles at login to test how your app works with different roles.

[afreire-laptop]

Hi @anthonychu and @mkarmark, thanks a lot for the docs and tutorial.
The tutorial is configured to use Azure AD as the Provider. Is it possible to also obtain an access_token with a custom Identity Provider?

Here's my config:

{
  "routes": [
    {
            "route": "/admin/*",
            "allowedRoles": [ "admin" ]
        },
        {
            "route": "/authenticated/*",
            "allowedRoles": [ "authenticated" ]
        }
  ],
  "responseOverrides": {
    "401": {
      "redirect": "/.auth/login/custom-oidc",
      "statusCode": 302
    }
  },
  "auth": {
    "identityProviders": {
      "customOpenIdConnectProviders": {
        "custom-oidc": {
          "registration": {
            "clientIdSettingName": "CUSTOM_OIDC_CLIENT_ID",
            "clientCredential": {
              "clientSecretSettingName": "CUSTOM_OIDC_CLIENT_SECRET"
            },
            "openIdConnectConfiguration": {
              "wellKnownOpenIdConfiguration": "https://<CUSTOM_OIDC>/.well-known/openid-configuration"
            }
          },
          "login": {
            "nameClaimType": "emails",
            "scopes": ["openid", "email", "profile"]
          }
        }
      }
    }
  }
}