Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Enable web APIs called by daemon apps to control tokens without roles claim #707

Closed
jmprieur opened this issue Oct 21, 2020 · 3 comments
Closed

[Feature Request] Enable web APIs called by daemon apps to control tokens without roles claim #707

jmprieur opened this issue Oct 21, 2020 · 3 comments
Assignees
@jennyf19
Labels
enhancement New feature or request fixed
Milestone
1.2.0

Comments

@jmprieur
Copy link
Collaborator

Why?

Is your feature request related to a problem? Please describe.
Microsoft.Identity.Web enforces that a token has scopes (for delegated permissions) or roles (when called by daemon apps), however there is another mechanism: the ACL-based authorization pattern to control tokens without roles claim.

Describe the solution you'd like
Have a way to specify that the application can bypass the following test, to support the ACL-based authorization for the web API called by daemons:

microsoft-identity-web/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs

Lines 222 to 229 in 158636e

// This check is required to ensure that the web API only accepts tokens from tenants where it has been consented and provisioned.
if (!context.Principal.Claims.Any(x => x.Type == ClaimConstants.Scope)
&& !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Scp)
&& !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Roles)
&& !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Role))
{
throw new UnauthorizedAccessException(IDWebErrorMessage.NeitherScopeOrRolesClaimFoundInToken);
}

Describe alternatives you've considered
None. See the discussion here: #691

Proposed design:

  • Add a new bool property named AllowWebApiToBeAuthorizedByACL in the MicrosoftIdentityOptions, which would be false by default.
  • If this property is true, then avoid throwing in

    microsoft-identity-web/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs

    Lines 222 to 229 in 158636e

    // This check is required to ensure that the web API only accepts tokens from tenants where it has been consented and provisioned.
    if (!context.Principal.Claims.Any(x => x.Type == ClaimConstants.Scope)
    && !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Scp)
    && !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Roles)
    && !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Role))
    {
    throw new UnauthorizedAccessException(IDWebErrorMessage.NeitherScopeOrRolesClaimFoundInToken);
    }
@jmprieur jmprieur added the enhancement New feature or request label Oct 21, 2020
@jmprieur
Copy link
Collaborator Author

@jennyf19 @TaranbirBhullar

@jmprieur jmprieur mentioned this issue Oct 21, 2020
Closed
@jennyf19 jennyf19 self-assigned this Oct 21, 2020
@jennyf19 jennyf19 added this to the 1.2.0 milestone Oct 21, 2020
@jmprieur
Copy link
Collaborator Author

Thanks @TaranbirBhullar for confirming that this works for you.

@jennyf19
Copy link
Collaborator

Included in 1.2.0 release.

@jennyf19 jennyf19 mentioned this issue Oct 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jennyf19 jennyf19

Labels
enhancement New feature or request fixed
Projects
None yet
Milestone
1.2.0
Development

No branches or pull requests
2 participants
@jmprieur @jennyf19