403 - Forbidden response when calling transfer service /status/request API (Azure AD auth.)
Hi, we are currently using the .dotstatsuite transfer service. But we replaced the KeyCloak with the Azure AD for the auth. The issue we have with the /status/request API is that it gives 403 - Forbidden with the Azure AD token (it works fine with KeyCloak). We looked into the source code and think the Forbidden response is triggered by hitting the line 77 in https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-core-transfer/-/blob/develop/DotStatServices.Transfer/Controllers/StatusController.cs.
if (_authConfiguration.Enabled && userPrincipal.UserId == null)
{
return new ForbidResult();
}
The line 77 is hit because userPrincipal.UserId is null. After looking into the code of DotStatPrinciple class in https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-core-common/-/blob/develop/DotStat.Common/Auth/DotStatPrincipal.cs, we see the UserId is assigned by the email address extracted from the token's email claim.
Email = principal.Claims
.FirstOrDefault(x => x.Type == GetClaim(map, "email"))
?.Value;
UserId = Email;
The issue is the Azure AD token we get doesn't have the 'email' claim. We tried some ways and were able to add a custom claim to the token. But we could not add a claim with the name 'email' probably because email is a reserved claim name. So we wonder if the dotstatsuite community can help us out by getting the email from another claim? In our Azure AD token, our email address is attached to the upn claim. I wonder if you would be able to add something similar to the following to the DotStatPrincipal.cs?
Email = principal.Claims
.FirstOrDefault(x => x.Type == GetClaim(map, "email"))
?.Value;
if(Email == null){
Email = principal.Claims
.FirstOrDefault(x => x.Type == GetClaim(map, "upn"))
?.Value;
}
UserId = Email;
Your help is greatly appreciated.