You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a web API that is called by BOTH daemon apps (client credential flow) as well as by other apps on behalf of the user.
In versions of Microsoft.Identity.Web prior to 1.6.0, you had to use the VerifyUserHasAnyAcceptedScope extension method on the HttpContext to check for user scopes and the ValidateAppRole extension method to check for app roles.
With this method, we could check scopes or roles based on the token:
// controller methodpublicasyncTask<ActionResult<IEnumerable<WidgetDto>>>GetAsync(){this.ValidateUserScopesAndAppRoles(new[]{ UserScopes.ReadWidgets, UserScopes.ReadWriteWidgets },new[]{ AppRoles.ReadWidgets, AppRoles.ReadWriteWidgets });// ...returnthis.Ok(widgetDtos);}// method to validate based on user or daemon appprivateprotectedvoidValidateUserScopesAndAppRoles(string[]userScopes,string[]appRoles){// determine if the token is an app-only token or a user tokenvarobjectIdentifier=this.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;varsubject=this.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;varisAppOnlyToken=objectIdentifier==subject;// if the token is an app-only token, validate the app roles// otherwise, verify the user scopesif(isAppOnlyToken){this.HttpContext.ValidateAppRole(appRoles);}else{this.HttpContext.VerifyUserHasAnyAcceptedScope(userScopes);}}
Now that the VerifyUserHasAnyAcceptedScope is obsolete and we should be using the RequiredScope attribute, how can I still allow an api controller method to be called by both users (with scopes) and applications (with app roles) and verify them based on the token type?
If an app calls the method with the RequiredScope attribute, it throws an UnauthorizedAccessException.
The text was updated successfully, but these errors were encountered:
Documentation related to component
Web APIs
Please check all that apply
Description of the issue
I have a web API that is called by BOTH daemon apps (client credential flow) as well as by other apps on behalf of the user.
In versions of Microsoft.Identity.Web prior to 1.6.0, you had to use the VerifyUserHasAnyAcceptedScope extension method on the HttpContext to check for user scopes and the ValidateAppRole extension method to check for app roles.
With this method, we could check scopes or roles based on the token:
Now that the VerifyUserHasAnyAcceptedScope is obsolete and we should be using the RequiredScope attribute, how can I still allow an api controller method to be called by both users (with scopes) and applications (with app roles) and verify them based on the token type?
If an app calls the method with the RequiredScope attribute, it throws an UnauthorizedAccessException.
The text was updated successfully, but these errors were encountered: