I'm in the middle of a project to convert our CMS site to use OIDC/OAUTH for authentication/authorization. So far authentication to the CMS as a user works as expected but I'm running into trouble when I try to secure the Content Delivery API.
I've setup our Azure AD App to include a "ContentApiRead" role claim (type=application) for client_credentials grant type. I've added a "ContentApiRead" role (mapped role) in the virtual roles section of the web config. I also overridden the "GetAllRoles" method as suggested here: Content Delivery API and Azure AD | Episerver Developer Community
Finally, I've granted access to "ContentApiRead" to the root of our site.
I can successfully call the api if I disable the minimum role requirement (SetMinimumRoles(string.Empty)) in the ContentDeliveryApiInitialization module but if I use the default config or specify the minmum role as "ContentApiRead" I get a 401 Unauthorized response; I'm passing the access token in the header prefixed with "Bearer". I get this if I make the call from Postman or a C# console app.
I'm probably missing something really simple but I've spent hours trying to figure it out and can't get it to work. Help would be greatly appreciated.
UPDATE - 12/18/2020
It turns out that Azure AD is not returning the "ContentApiRead" role in the token. After inspecting the token, the only role getting returned is:
roles: [
web.config (virtualRoles section): <add name="Directory.Read.All" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="Directory.Read.All" mode="Any" />
{
config.Default()
.SetMinimumRoles("Directory.Read.All")
.SetRequiredRole("Directory.Read.All")
.SetSiteDefinitionApiEnabled(true)
.SetMultiSiteFilteringEnabled(false);
});