I have implemented an ASP.NET Core 8 Web API using .NET 8.0.202.
I have added the following HttpGet action to the default WeatherForecastController
[HttpGet]
[Route("onlyfortestscope")]
[RequiredScope("TestScope")]
public string OnlyForTestScope()
{
return "You have access to this API";
//https://github.com/AzureAD/microsoft-identity-web/issues/1571
}
WebApplication builder code looks like this
builder.Services.AddRequiredScopeAuthorization();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o => builder.Configuration.Bind("AzureAd", o));
builder.Services.AddAuthorization(config =>
{
/*
//None of this configuration is working!
config.AddPolicy("default", policy =>
{
policy.RequireAuthenticatedUser();
//policy.RequireScope("CardReader TestScope");
//policy.RequireScope("api://d269eec9-5d0a-409d-bf69-0426237a7153/TestScope");
//policy.RequireClaim("CardReader TestScope");
//policy.RequireClaim("api://d269eec9-5d0a-409d-bf69-0426237a7153/TestScope");
});*/
});
var app = builder.Build();
...
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
My access token (JWT token) contains following scope
"scp": "CardReader TestScope"
I am expecting that since the JWT token has TestScope in it, it should be able to invoke the action onlyfortestscope.
But, any valid JWT token is able to invoke this API endpoint. e.g. following onlyfortestscope action is accessible even if AnyRandomScope is missing in JWT token.
[HttpGet]
[Route("onlyfortestscope")]
[RequiredScope("AnyRandomScope")]
public string OnlyForTestScope()
{
return "You have access to this API";
//https://github.com/AzureAD/microsoft-identity-web/issues/1571
}
I found this similar closed issue but in vain.
Any pointers?