Support application specific roles in B2C
I would like to be able to add roles that are specific to an application. If you're using Azure AD B2C with multiple applications, you will certainly have different roles, used for Authorization, in the different apps.
Moreover, a user with a role, say administrator, in one application might not be an administrator of another application. This scenario could be supported by adding application roles.
Azure AD B2C supports custom claims, which can be used to add app based roles.
Vansevenant, Stijn commented
I agree with other comments here. We need support of the real "app roles" feature as seen on classic Azure AD.
Currently we only have 2 choices:
- a not ideal workaround with "custom user attributes" and "adding them as a claim" to your "user flow" which has its own limitations and issues (data type StringCollection not supported, no UI in Portal, different behavior than classic way of working with App Roles than in classic AD)
- implementing complex "custom policies" with "API connectors" and calling the Graph API from your own app, leaving "high availability" on somethign like a login against B2C up to our own responsibility because each login needs to get claims added through or own API
Why have strong "authentication" on B2C but have flawed "authorization". You want us to develop great & secure applications... then give us the possibility without adding all this unneeded complexity.
Ste Walsh commented
Azure AD should provide native support for appRoles. The proposed workaround isn't suitable
This makes no sense to be declined meanwhile Azure AD received role claims support making Open ID Connect feature complete on it. However if you want to make use of roles in Azure B2C you need to hack custom claims which aren't even editable in the Azure B2C portal. Please just add the roles claim through the use of Groups like you did on Azure AD this would make other
Hubert Richard commented
Not finding any really good documentation for RBAC with AAD B2C.
Ashish Moradiya commented
custom attributes not suitable for complex scenarios, need to support additional data types and increase 256 limit
Sedat Sert commented
The link we are given is simply not feasible. It's not even closely related to role management.
We want to assign roles to users. Custom claims are not proper roles and groups management.
Sven Glöckner commented
I don't agree that this is a hack but just a workaround. I was successful in using a custom claim - Please read here: https://dev.to/sven5/using-custom-claims-for-azure-ad-b2c-roles-720
Its not possible to store string in claim and it has limit of 256 characters :(
Radoslaw Maziarka (PGS Software) commented
I don't understand how could it be so easily decided as declined. Azure AD B2C without proper roles management makes developers do hacks instead of focusing on delivering value.
Andrew Weiser commented
This is quite a shortcoming compared to Okta and Auth0, both of which allow for proper Role Based Access Control (RBAC).
We don't want something that can be used as roles, we want real roles. Roles and groups that allow nesting and which can be used across different ADs(trust).
Marcelo di Iorio commented
Are you aware of this https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-access-tokens? you can customize tokens by using scopes.