Application User Roles with Azure B2C

00:00

if you want logged in users of your

00:02

website to have different permissions so

00:04

that they can access different parts of

00:06

your application or even your backend

00:08

API then you've come to the right place

00:10

because today we are going to be dealing

00:12

with user roles with azure b2c

00:16

[Music]

00:16

[Applause]

00:21

good morning good afternoon and good

00:23

evening whenever it is I find you and

00:25

welcome along to the channel so if you

00:27

Google for Azure b2c and user roles

00:30

you'll find generally a whole lot of

00:33

negativity around things that it says it

00:36

doesn't support user roles out of the

00:39

box

00:40

and while that's true there is a

00:43

mechanism in Azure b2c that we can

00:46

utilize for this purpose and that is API

00:49

connectors so what are API connectors so

00:53

the way that Azure b2c works is our

00:55

authenticating user goes across to or

00:58

gets redirected to azure b2c

01:01

Azure b2c can then call out to an API so

01:06

this API has got some constraints it

01:08

must be a public endpoint and it must

01:10

also be an HTTP s endpoint so it's got

01:13

to have a certificate installed

01:16

but this API function essentially adds

01:19

extra claims that it passes back to

01:21

Azure b2c so it can be any custom data

01:24

that your particular API wants to inject

01:27

into the user's credentials essentially

01:31

and they get injected into the token

01:33

that then gets sent back to your front

01:36

end

01:37

but there's a problem because it's all

01:40

great when it's up and running but how

01:41

do we develop this locally

01:43

so for the local situation we've got

01:47

Azure b2c still

01:49

and we've got our public endpoint so we

01:52

can use our API that we publish up to

01:55

Azure as part of our application

01:57

and we can actually put a reverse proxy

02:00

function into that API and that reverse

02:04

proxy function can then pull our local

02:07

development machine that we've exposed

02:10

out onto the internet

02:12

and that can do our custom claims at

02:15

that point pass it back through the

02:17

reverse proxy back to Azure b2c and into

02:20

the ID token and the access token this

02:23

means that we can develop locally and

02:26

work out what our claims should be and

02:28

get all that code working before we then

02:30

publish that up to our public API so

02:33

that what it looks like when we move to

02:35

production is that we remove that

02:37

reverse proxy function we reconfigure

02:40

Azure b2c to directly call our function

02:43

that just adds our claims that we've

02:45

been developing locally but now it

02:47

exists in our public API because we've

02:49

pushed that up and so this is what our

02:52

production architecture then looks like

02:53

we could choose to remove that reverse

02:56

proxy function at that point but

02:57

obviously you may want to develop again

02:59

locally to add enhancements to that

03:02

particular function so it might be

03:03

useful to to have that still inside your

03:06

API your decision

03:08

so let's go and dive in and see how we

03:11

can set all of this up so the first

03:13

thing that we're going to have to set up

03:15

is being able to access our Azure

03:18

function locally but from the internet

03:21

so I'm on my router here and you can see

03:26

that my

03:27

local Azure functions run on an internal

03:30

IP address on Port 7071 which is usually

03:33

the default for Azure functions in a

03:35

development environment

03:36

and you can see that I'm port forwarding

03:38

here from my external port on Port

03:40

quadruple 8. so any request that comes

03:43

into my internet IP address on Port

03:45

quadrupilate will forward across to my

03:48

Azure function API how you go about

03:50

setting this up is going to be a unique

03:52

situation for you there's all sorts of

03:55

weird and wonderful ways that people set

03:57

up their development environments these

03:58

days so I'm going to have to leave this

04:00

step to you but this is what works for

04:01

me so with that exposed we can jump over

04:04

into vs code and we can go to our API

04:09

Now API functions where we have all of

04:11

these and the first thing that we're

04:13

going to do is set up this reverse proxy

04:15

function that we're going to publish up

04:16

to our publicly exposed API so let's

04:20

create a new Azure function in here

04:22

which is our simple reverse proxy called

04:25

Simple reverse proxy it takes gets or

04:29

posts and what we need to do in here is

04:32

we're going to take the name of the

04:34

function that we want it to proxy across

04:36

to on the URL as a query argument

04:39

so that's why we're using this query

04:41

parameters dictionary here that I've got

04:43

in a utility function here in this query

04:47

parameters dictionary so this gets the

04:49

query parameter and teases those out

04:52

into a dictionary such that I can then

04:55

query for a given value so I'm looking

04:57

for a func query value on the URL so we

05:00

need somewhere where we can store our

05:02

response body as well then we'll have

05:04

some error handling so if bunk to call

05:09

doesn't actually

05:10

exist on the URL then we'll just return

05:13

an error a bad response or bad request

05:16

rather and then what we're going to do

05:18

is pull the configuration for where our

05:23

actual API is that we want to proxy

05:25

across to so in our case it's our our

05:27

Local Host one but it's going to be our

05:29

internet facing address

05:31

on that Port quadruple 8 for me that I'm

05:35

going to configure into this proxy API

05:38

host environment variable

05:40

so that's going to go into my local

05:42

settings Json file here so let's just go

05:46

and add that in while we're while we're

05:49

here and for now just to prove that the

05:51

simple reverse proxy Works locally it's

05:53

going to proxy across to localhost 7071

05:56

when we deploy to Azure we will set this

05:58

up in the Azure portal and that will

06:00

this will point to my public IP address

06:03

and quadruple 8 as the port we can save

06:06

that and close that and then let's carry

06:09

on with this function so we've got our

06:11

host environment variable but let's just

06:13

do some check-in to make sure that we

06:16

have configured that correctly and again

06:18

if we haven't then we'll send back an

06:21

error then we can start making our call

06:24

to our API so we need a new HTTP client

06:27

that's adding the right usings let's set

06:31

the Base address for our request to our

06:35

host and slash API which is where our

06:38

API lives we can then create a message

06:41

and we use the same

06:43

method the same HTTP verb that's been

06:46

sent in so if it's a post it will

06:48

forward as a post if it's a get it

06:49

before there's a get and we use our

06:52

function to call that we got out of our

06:54

query string up here as the function

06:57

that we want to call so then if it's a

07:00

post only because posts will contain a

07:03

request body then we do that so we get

07:05

the request body and we set that up as

07:08

the content of the message that we're

07:10

folding across we then make our call

07:13

and we get the response back into

07:16

an object here

07:18

and then

07:19

we can go ahead like we have done with

07:22

all our other Azure functions and create

07:24

a corresponding response from that and

07:27

put in that response body

07:29

so we send it back so that's essentially

07:31

just called an Azure function by calling

07:34

this Azure function so let's just run

07:36

that up and prove that that works so we

07:38

can see that we've got our new simple

07:40

reverse proxy function available to us

07:43

so I can come over to something like

07:45

thunderclion and put in a get request

07:47

give it a funk equals and the funk I

07:51

want to call is version so I can see

07:53

that I've got another API call called

07:55

version down here and if I send that in

07:58

I get back a 200 and the version

08:00

information has been returned correctly

08:02

so my reverse proxy is calling route

08:05

background to my own Azure API and

08:08

calling a separate function so that's

08:10

all working so that's good so we can

08:11

push this now up to Azure so that we get

08:15

our reverse proxy functionality

08:17

available in the cloud for us so I'm

08:20

going to go and do that and then we'll

08:22

come back and carry on while that's

08:24

deploying we can jump over to the Azure

08:27

portal and go to my static web app and

08:31

the configuration settings

08:34

and you need to add a new configuration

08:36

setting here I've already done it so

08:38

we're adding our proxy API host that we

08:40

had in our local settings and as I said

08:43

you want to configure this to your

08:44

public IP address and whatever Port

08:47

you're forwarding across to your

08:49

particular API so that's all now

08:51

deployed so I can go to my site that's

08:55

up on Azure and go to the API call

08:58

simple

09:00

RP and give it the funk that I want to

09:04

call and we'll call the version again

09:06

and on my local environment I've got my

09:10

Azure functions up and running and I've

09:12

got a breakpoint in the version function

09:15

so let's give that a go

09:18

and I can see down here

09:21

that Visual Studio is is flashing at me

09:24

saying that it's hit a break point so

09:26

let's go and we are inside of our

09:28

function

09:30

locally we've got our request coming in

09:33

so I'm just gonna let that run

09:36

jump back over here and I can see the

09:39

response has come back correctly from my

09:41

local Azure function so it's an internet

09:43

facing reverse proxy that's calling my

09:46

local development environment

09:48

which is nice

09:50

so that means I can now develop my API

09:53

connector function locally and set up

09:56

Azure b2c to call that reverse proxy but

10:00

we're going to get to all of that in a

10:02

bit so let's stop our API and let's go

10:05

and start on our API connector function

10:09

so we're going to have a function called

10:10

user permissions which takes a post and

10:14

I am going to cut some tutorial Corners

10:17

here like most people do we should

10:19

really have some authentication going on

10:23

in this particular function so out of

10:25

the box b2c for API connectors supports

10:28

basic author or certificate auth so you

10:32

should be validating that authentication

10:35

I'm going to skip over that just the

10:38

brevity of this tutorial because there's

10:40

enough here to show you how this all

10:42

works so given that you are

10:44

authenticated from Azure b2c to actually

10:48

call this API we can then get the

10:51

request body

10:53

as we normally do and we are going to

10:56

create this request connector class so

10:58

we're going to deserialize the request

11:00

body into a request connector object but

11:04

we'll create that in a minute we need to

11:06

do some usual error checking so if our

11:09

request connector isn't correctly

11:11

deserialized then we have to return

11:15

a set response

11:17

from our API connector to inform Azure

11:21

b2c to show a block page so it stops the

11:24

authentication at this point because our

11:26

API function has failed

11:28

and we return that as a bad response so

11:31

and if you want to see the information

11:33

on where I got this from so it's from

11:36

this page over here I'll put a link to

11:39

this in the description but it's about

11:42

adding an API connector to the sign up

11:44

user flow white sign up I'm signing in

11:47

and using it but anyway there we go and

11:50

there's this example responses section

11:52

down here so this is the example of a

11:55

good continuation response so this is

11:57

what you should return if you want the

12:00

login to continue along with your custom

12:03

attributes that you're adding in we'll

12:05

get to that in a minute so this is an

12:07

example of what I was just put in there

12:08

for the error so we share a block page

12:11

we put our error message in and version

12:13

so if we jump back over that's exactly

12:15

what mine looks like so that's our error

12:18

handling so at this point you could

12:21

perform any other validation that you

12:23

want against the payload things like

12:25

does the client ID match is the email

12:27

present Etc you you can do anything

12:29

inside your ISO function obviously so

12:31

add as much validation here as you want

12:33

to make sure that the consumer that's

12:36

calling this function is who they say

12:38

they are once you've passed all the

12:40

authentication and validation checks you

12:43

can then go and look up your custom

12:45

claims that you want to add in so I'm

12:48

hard coding this here but this might

12:50

typically be a database connection

12:52

lookup where you're going to find the

12:55

person who's actually logging in so you

12:58

get this claim coming in in the request

13:00

connector as we'll see in a minute and

13:02

at the moment I'm just checking if

13:04

that's admin then I go and add the admin

13:07

user role to the permissions so everyone

13:10

gets to be a user but only the admin

13:13

user gets to be admin is my simple case

13:17

here that I'm putting in but obviously

13:19

you can go and add in as many different

13:20

types of user permissions as you want

13:22

and I'm comma separating them here so

13:26

they all go into the same custom

13:28

property but comma delimited and then

13:31

finally the last thing that we need to

13:33

do inside this function is actually set

13:36

up that response with our custom claim

13:40

in it so we return a 200 response and we

13:44

return our

13:46

extra permission which is from our user

13:48

permissions comma delimited string

13:52

and we've called that user permissions

13:54

it has to have the extension prefix on

13:58

it that's a b2c convention so we have to

14:01

adhere to that and that's all we need to

14:03

do for our Azure function so let's go

14:06

and create a new file in here request

14:10

connector and let's just paste this in

14:13

so that we can see what this does so

14:15

here's our request connector class and

14:18

so we can see that we've just got some

14:20

properties in here basically and we are

14:22

renaming these so that they get

14:24

deserialized correctly so even though

14:27

we've called it client ID the Json that

14:29

will come in is client underscore ID so

14:31

we've renamed some of these locally

14:34

inside this object but essentially this

14:36

is what gets passed in the step the

14:38

client ID the UI locales the email

14:42

address which is the all-important one

14:44

because that's what we're using as our

14:45

ID to look up our permissions the object

14:48

ID which is the Azure object ID for this

14:51

particular user and some useful other

14:53

information like display name given name

14:56

Etc so we can now jump over to Azure b2c

14:59

in the Azure portal and we need to go to

15:02

this API connectors option here

15:05

and we add a new API connector we'll

15:08

give it a useful name and we'll give it

15:12

the name of our reverse proxy in here

15:15

and we can copy that from here and paste

15:17

that in there but we don't want the

15:19

version function we want user

15:21

permissions which is the Azure function

15:23

that we just created and we'll send in

15:25

some Basics so but we're not validating

15:28

it but we should be yeah so usual secure

15:32

credentials and we'll save that and then

15:34

we've got to go to user attributes to

15:36

add in our new

15:38

custom attribute so these are all the

15:41

default ones we're going to add in a new

15:43

one I'm going to call it user

15:45

permissions if you remember we had over

15:47

in our Azure function we called it use

15:49

permissions here

15:51

so that that has to match

15:53

and we'll make that a string give it

15:56

some useful description and create that

16:00

so now we have our user permissions down

16:02

here which is a custom type

16:05

and then we can go over to our

16:08

user flow that we used for sign in so

16:11

we've got our

16:13

sign in flow and we can go to

16:15

application claims and we can add in

16:19

and select that custom claim that we

16:21

just added and save that and then while

16:24

we're in the sign in user flow we go to

16:27

API connectors we can now see our user

16:31

permissions function in here that's

16:33

available to us so we can select that

16:35

and that's how we wire up b2c to call

16:38

that particular function

16:40

when it's creating the claims so as part

16:43

of the sign in process it will now call

16:45

out to this API that we've configured so

16:48

let's run all this up and give it a test

16:51

and we'll put a breakpoint in our user

16:53

permissions function just so that we can

16:55

see that it gets hit okay so our app is

16:58

up and running so we can this is our

17:01

local one so I'm running on localhost

17:04

I can sign in I get redirected to Azure

17:07

let's log in as the admin

17:11

in this particular case

17:14

and let's sign in and again I can see

17:17

I've hit a break point down in Visual

17:20

Studio code so let's go and jump in

17:23

there and here I am inside my user

17:25

permissions so let's just step over some

17:28

of this so we get our request body let's

17:30

go and have a look at that so we can see

17:32

exactly what that looks like and you can

17:34

see that the email address is the admin

17:36

has passed in so let's carry on so we

17:40

add in our user permissions but

17:43

essentially I've got a user an admin as

17:46

the user permissions that I'm sending

17:48

back so let's just run these through and

17:51

we'll probably find that my

17:52

authentication has failed because I've

17:55

taken too long so let's just now that

17:57

we've seen that up and running and

17:59

working let's take that out

18:01

take the break point out and let's try

18:03

that again

18:05

so that it runs through

18:07

as we would expect and that has signed

18:10

us in

18:12

and I've got some debug Trace in here so

18:15

we can go and look at the ID token

18:17

claims and we can see there's my

18:19

extension user permissions with user and

18:22

admin being passed back in the token

18:24

back to

18:25

the next application which is exactly

18:28

what we want the one on there

18:30

let's just go and get the access token

18:34

as well and if we come over to

18:38

jwt.ms and paste that in we have a look

18:42

at this here

18:43

we can see that we also get the

18:46

extension permissions passed into the

18:48

access token so that means that it's

18:51

available both to our client side next

18:53

application but also to our Azure

18:56

function API when we pass in the access

18:58

token so that's really handy that it

19:01

puts it into both tokens for us because

19:03

we can use that on both sides to make

19:05

sure that the user contains the right

19:08

roles to be able to do what they're

19:10

trying to do so that's all well and good

19:12

but we're obviously not taking any

19:14

advantage of that so how do we plug all

19:16

this now that we're getting these extra

19:18

user roles back into our next

19:21

application so let's get rid of the dev

19:24

tools let's come back over here and we

19:27

know our function API is now working so

19:29

we can now

19:31

close up the API side of this and start

19:33

looking at the next side of it and how

19:36

we can take advantage of some of this so

19:38

inside of our user store we've got our

19:40

auth user store

19:42

what we're going to do is add in a new

19:45

getter in here and we're going to ask if

19:49

the user has a particular permission so

19:52

it's going to query the token that it's

19:54

storing inside this store so we have to

19:56

pass in the required permission that we

19:59

want it to test for and that's going to

20:02

give us back a true or false result so

20:06

inside here we can have an if test that

20:09

says if we've got a current user and the

20:12

user

20:13

has the user permissions claim so what

20:16

we're going to do is we're going to look

20:17

in the user permissions string and we're

20:21

going to see if it contains the required

20:23

permission string that's been passed in

20:26

and if it does we return true so the

20:28

user has that permission and if it

20:30

doesn't we return false and if we don't

20:33

have a user or the user doesn't have any

20:36

user permissions claim in it then we are

20:39

just going to return false back out of

20:42

this method

20:43

so let's save that so then inside of

20:47

something like our header component and

20:50

we can now rather than always showing

20:53

this admin link let's change this so

20:55

that we only show the admin link if you

20:57

are in fact and a user that's got the

21:00

admin role so we need to import the auth

21:03

store in our script as we normally do

21:07

and then we can use the auth store to

21:10

get out the user has permission getter

21:13

and once we've done that that's then

21:15

available to us inside of our next

21:17

template up here

21:19

so we can put in a the if user has

21:24

permission and pass it the string of the

21:26

role that we want the user to possess in

21:28

order to show this particular next link

21:31

so let's save that so that's our app up

21:34

and running and as we can see we don't

21:36

see the admin menu here so let's go and

21:40

sign in let's

21:42

start by signing in as someone who's not

21:46

the admin so good old data just a

21:49

general user he can log in and welcome

21:52

Arthur Dent but he doesn't see the admin

21:54

menu but he does see restricted areas

21:57

because he is logged in and let's sign

21:59

him out let's sign back in as the admin

22:03

this time

22:06

the admin gets the admin user role and

22:09

so we see our admin link over here so

22:12

that's UI stuff inside of nux that you

22:15

can take advantage of the UI rolls quite

22:18

easily but what about our apis if we

22:21

want to restrict things in our API so

22:25

let's jump back over here

22:29

and we can get rid of these

22:31

so inside of our API we've got our

22:34

isolated function authorization

22:38

so we're gonna go and make some changes

22:40

to this to take account of the user role

22:43

that gets passed in

22:44

so let's jump into the authorization

22:47

middleware and right at the top where

22:50

we've got our Scopes we're also going to

22:52

add in our rolls claim type which is

22:55

extension user permissions as we know we

22:57

saw that in the access token

22:59

and then we can change the authorize

23:02

delegated permissions here so last time

23:05

I commented out about user roles and

23:08

said I'm not interested in those but I'm

23:10

now going to change this so that it does

23:11

take account of user roles but it looks

23:13

at my b2c extension

23:16

I'm going to look up the claim for the

23:19

user permissions and split that by the

23:23

delimiter so comma and a space and I'm

23:27

going to remove any empty entries so

23:29

this will get me a collection of the

23:30

user roles now I've got a collection

23:33

that I can use

23:35

I can query that collection to see if

23:38

the role that's been specified against

23:41

the Azure function exists for this user

23:44

so this user possesses the right role to

23:46

be able to call the Azure function that

23:48

they're calling and we'll go and change

23:50

the attribute that we put on the Azure

23:53

function to State what role they need to

23:56

possess in order to call it so that's

23:58

what this is doing here we just need to

23:59

change the last line as well so that as

24:03

well as checking the accepted scope so

24:06

exactly what we what it was doing

24:08

historically which is to check that the

24:10

user has the role and the scope we

24:13

changed this last time so I'm going to

24:15

put it back to how it was so now they

24:17

have to have the role and the scope in

24:20

order to call the function so let's save

24:22

that and then let's jump over to our

24:27

API

24:28

and we've got our b2c

24:32

protected function in here that at the

24:35

moment you have to have the email scope

24:38

in order to be able to call this so we

24:41

are going to change this so that as well

24:43

as email access we give it a user role

24:48

of some value

24:51

and let's say

24:53

admin so only admins can now call this

24:57

b2c protected function let's save that

25:00

and start this up okay so that's up and

25:03

running so let's jump over here

25:06

and we're not signed in so let's go and

25:08

sign in

25:10

and let's do the same test that we did

25:12

before so let's sign in as someone who

25:15

isn't admin I'm going to put on the

25:18

developer tools

25:24

so we can see there that my b2c

25:26

protected function gave me back a 403

25:29

Forbidden because he's not an admin role

25:34

so then let's sign out and sign in as

25:37

admin

25:42

thank you

25:43

this time we get a 200 for our b2c

25:46

protected function and we see our data

25:47

on the page so

25:49

that shows how you can protect your

25:52

Azure functions as well and make sure

25:53

that the people that are calling them

25:55

have the right roles in order to be able

25:57

to call them so that's front end and

25:58

back end secured with user roles using

26:03

Azure b2c so if you found this useful

26:05

please do hit the like button that helps

26:08

it find more people and with that I want

26:10

to thank you very much for watching and

26:12

I will see you in the next video