Similar questions have been asked before here but not quite in the same context, which is as follows:
- I have an angular client app using MSAL library.
- I have a .NET API
For simplicity, my API app registration has two app roles, Admin and Normal. Following guidance from Microsoft here: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps#usage-scenario-of-app-roles I have my roles defined in my API app registration not the client.
However, the client needs to know about these roles as the UI will change depending on the user's role. So is the client meant to peek inside the access token meant for my API to get these roles? That seems very hacky and is not something you normally do in OAuth. If this is the way Microsoft wants us to solve this, does the MSAL lib have some functionality to get the correct access token (as in the one for my API and not another, say for Graph) and then easily read claims/scopes?