This sample uses MS Graph along with B2C Custom Policies to manage various user access to applications.
This diagram helps describe the relationship between policies, MS Graph, and admin/client apps:
This repo holds a number of projects. Here's a high level overview of the various top level folders/projects
-
Administration Application
This application is a Blazor Web Assembly Hosted app and consists of three projects:
- Shared Project is a DOTNETCORE 5.0 shared DLL that is used by both the Client and Server projects. This contains common model classes specifically for Azure AD objects.
- Server Project is an ASPNETCORE 5.0 web api project that is invoked by the Client app. Controllers hold server-side logic invoked by the Client.
- Client Project is a Blazor Web Assembly (Hosted) ASPNETCORE 5.0 app. This app invokes various Server controllers for managing user access to Azure AD objects.
-
This Web API project is invoked by B2C's Custom Policy during sign-in in order to resolve the user's Roles for a given application ID. The
roleclaim returned is a string array of role names. This claim is included in the user's token upon successful sign-in. -
Custom Policies for B2C. These policies are taken from the Custom Policy Starter Pack for Social and Local Accounts, and include specific policies (in the UserMgt subfolder) that are specific to the Sign UP and Sign IN logic needed for role resolution.
-
Sample Blazor WebAssembly Hosted application (including standard Server, Client, and Shared folders) that can be used to test the roles applied to a user. Of note is that the Client's Program.cs file includes Authorization Requirements and AuthorizationHandler implementations to show how to check for role claims. Also check out the Client's Razor Page for UserStuff.razor to show an Authorization Policy for multiple role access, and the Razor Page for AppAdminStuff.razor for checking for admin-type roles only.
Each DOTNETCORE project has Dockerfile definitions for containerization.
Here's a list of to-do's that I'd like to add to this app:
- Include Groups as assigned to's
- Create a "MyApps" type of page where a user can log in and see what apps they have access ot
- Invitation system to send invite to user for a specific app
- Redeem invitation logic for user redeeming invitation to application
- App Admin views to manage user access for an app
- Company Admin views to manage company user access for an app
- Time-based expiration of assigned roles (suggestion from a colleague)