Authorize ASP.NET Core App By Azure AD Groups Using Graph API

Introduction

 
Business websites use AD groups as authentication mechanisms quite often. Before the cloud era, ASP.NET translated AD groups into roles out of the box. This is no longer possible with Azure AD. At least it's not so simple. Now there are 2 ways you can check group membership,
  • Set Azure AD to include security groups membership information into JWT token.
  • Query Graph API for user groups.
There are many tutorials describing the first approach. It is easy and effective, however it has its limitations. If the user is a member of a lot of groups, the size of the token will grow. There is a limit of 200 group ids in one JWT token. Error message appears, that points you to Graph API, if you try to request token for user with more than 200 groups. This sample demonstrates how to obtain users AD groups from Graph API and assign ASP.NET roles based on these groups. Roles are then stored in cookies, so only first request queries Graph API.
 
The whole sample can be cloned from my GitHub repo.
 

How to run this sample

 
You need access to Azure AD to register your application and check ids of groups.
 

Register Azure AD application

  1. Create new Azure AD application and set its reply URL. I won't cover this in detail.
  2. Set up a secret in Certificates & secrets tab.
  3. In API permissions tab, add permission Microsoft Graph -> GroupMember.Read.All. User.Read is present by default. Don't forget to grant admin consent.
Fill in information about your app into AzureAD section of appsettings.json file.
  1. "AzureAD": {  
  2.     "Instance": "https://login.microsoftonline.com/",  
  3.     "Domain": "<your domain>",  
  4.     "TenantId": "<your tenant id>",  
  5.     "ClientId": "<your client id>",  
  6.     "ClientSecret": "<your client secret>"  
  7.   },  
You would want to place your secret somewhere safer in production application.
 

Assign ASP.NET roles to your Azure AD groups

 
Find guid of your Azure AD groups. In the AuthorizationGroups section of appsettings.json file replace key-value pairs with group id as key and target role as value. You can add as many as you want.
  1. "AuthorizationGroups": {  
  2.   "5b99527f-947b-4e8d-aad5-404f8d39008c": "examplerole1",  
  3.   "2bd89580-1d95-4a9a-98c2-a7a150168cba": "examplerole2"  
  4. },   

Set up endpoints authorization and run the application

 
There are 3 endpoints,
  • / Default endpoint. Requires only to be logged in.
  • /roletest Requires role to grant access.
  • /accessdenied Redirect destination in case of failed authorization.
In Startup.cs modify { Roles = "examplerole1" } to match one of roles specified in previous step.
  1. app.UseEndpoints(endpoints =>  
  2.   {  
  3.       endpoints.MapGet("/", async context =>  
  4.       {  
  5.           await context.Response.WriteAsync("Im authorized (no required role).");  
  6.       }).RequireAuthorization();  
  7.   
  8.       endpoints.MapGet("/roletest", async context =>  
  9.       {  
  10.           await context.Response.WriteAsync("You passed the role test!");  
  11.       }).RequireAuthorization(new AuthorizeAttribute() { Roles = "examplerole1" });  
  12.   
  13.       endpoints.MapGet("/accessdenied", async context =>  
  14.       {  
  15.           await context.Response.WriteAsync("Access denied!");  
  16.       });  
  17.   });  
Run the application.
 

How does it work

 
Here are described key concepts of this project.
 

Azure AD authentication

 
I used Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package. Startup.cs file changes:
  1. services.AddAuthentication(AzureADDefaults.AuthenticationScheme)  
  2.     .AddAzureAD(options => Configuration.Bind("AzureAD", options));  
  1. app.UseAuthentication();  
  2. app.UseAuthorization();  
This package takes care of setting up Open Id Connect and Cookies.
 

Graph API

 
Class GraphService.cs takes care of all operations against Graph API. Method CheckMemberGroupsAsync gets collection of group ids and returns only ids, that user is member of. This is done by CheckMemberGroups Graph API method.
  1. public async Task<IEnumerable<string>> CheckMemberGroupsAsync(IEnumerable<string> groupIds)  
  2. {  
  3.     //You can check up to a maximum of 20 groups per request (see graph api doc).  
  4.     var batchSize = 20;  
  5.   
  6.     var tasks = new List<Task<IDirectoryObjectCheckMemberGroupsCollectionPage>>();  
  7.     foreach (var groupsBatch in groupIds.Batch(batchSize))  
  8.     {  
  9.         tasks.Add(_client.Me.CheckMemberGroups(groupsBatch).Request().PostAsync());  
  10.     }  
  11.     await Task.WhenAll(tasks);  
  12.   
  13.     return tasks.SelectMany(x => x.Result.ToList());  
  14. }   
Information about which user groups to check is taken from user context. That's why GraphServiceClient must be created on behalf of user with it's token. I've created factory method CreateOnBehalfOfUserAsync for this purpose.
  1. public static async Task<GraphService> CreateOnBehalfOfUserAsync(string userToken, IConfiguration configuration)  
  2. {  
  3.     var clientApp = ConfidentialClientApplicationBuilder  
  4.         .Create(configuration["AzureAD:ClientId"])  
  5.         .WithTenantId(configuration["AzureAD:TenantId"])  
  6.         .WithClientSecret(configuration["AzureAD:ClientSecret"])  
  7.         .Build();  
  8.   
  9.     var authResult = await clientApp  
  10.         .AcquireTokenOnBehalfOf(new[] { "User.Read""GroupMember.Read.All" }, new UserAssertion(userToken))  
  11.         .ExecuteAsync();  
  12.   
  13.     GraphServiceClient graphClient = new GraphServiceClient(  
  14.         "https://graph.microsoft.com/v1.0",  
  15.         new DelegateAuthenticationProvider(async (requestMessage) =>  
  16.         {  
  17.             requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);  
  18.         }));  
  19.   
  20.     return new GraphService(graphClient);  

Intercepting authentication flow and adding custom claims

 
OpenId exposes OnTokenValidated event. We can use returned token before authentication is finished. It is needed to create Graph API client, that will act on behalf of actual user.
  • Load key-value pairs of group ids and target roles from section AuthorizationGroups of configuration.
  • Create Grap API service on behalf of actual user.
  • Check which groups from configuration is user member of.
  • Create role claims from returned entries.
  • Add these claims to current user.
Added claims are stored in cookie, so other requests do not trigger this event.
  1. services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>  
  2.     {  
  3.         options.Events = new OpenIdConnectEvents  
  4.         {  
  5.             OnTokenValidated = async ctx =>  
  6.             {  
  7.                 var roleGroups = new Dictionary<stringstring>();  
  8.                 Configuration.Bind("AuthorizationGroups", roleGroups);  
  9.   
  10.                 var graphService = await GraphService.CreateOnBehalfOfUserAsync(ctx.SecurityToken.RawData, Configuration);  
  11.                 var memberGroups = await graphService.CheckMemberGroupsAsync(roleGroups.Keys);  
  12.   
  13.                 var claims = memberGroups.Select(groupGuid => new Claim(ClaimTypes.Role, roleGroups[groupGuid]));  
  14.                 var appIdentity = new ClaimsIdentity(claims);  
  15.                 ctx.Principal.AddIdentity(appIdentity);  
  16.             }  
  17.         };  
  18.     });

Conclusion

 
In this article, we learned how to authorize ASP.NET Core applications with Azure Active Directory groups.