Azure AAD app registration: optional claims absent from JWT

Question

I can't get optional claims to appear in the JWT ID token for an asp.net core API app I'm creating. For testing I'm using POSTMAN to obtain a Bearer token via its inbuilt Oauth2 mechanism. Specifically, I want the user and profile scopes, that fall under MS Graph, so that I can access the user's verified email address and their first and last name.

I seem have an identical problem to this question - the first part, where the OP couldn't get the claims to appear at all (e.g. when inspecting the token in debug or via jwt.ms), and this one. In my scenario, I am developing a web API only, that has no UI component. The expectation is that requests will be made in a user context, such that the API can perform Authorization based on user claims.

Beyond wiring up the asp.net core API, I have done the following:

Configuration

1. Registered the API app (all following done in Azure portal)

   • Multi-tenant
   • Added desired MS Graph API permissions
   • Created a custom scope for my app
   • Added desired optional scopes in token configuration
   • Set accessTokenAcceptedVersion to 2 in manifest

2. Registered a client app (again, in Azure portal, in same tenant)

   • Added platforms SPA (not used yet, but this will be the primary use-case for access to the API) and Native desktop (for POSTMAN to use)
   • In API Permissions, added my API app scope (per above) and MS Graph permissions

Testing with POSTMAN

• Set up a request to my locally-running API, using POSTMAN's Oauth2 Authorization method with grant type Authorization Code (With PKCE) and using the relevant URLs for auth and token, Client ID of the client app registration, and setting scope to the custom scope of my API.
• Everything works in terms of Authentication (my API is configured correctly, associated to the API app registration, and the JWT is coming through correctly to my context in the API). Consent prompt shows the expected permissions when POSTMAN uses the browser to get auth.
• However the optional claims are not present in the JWT!

What else I've tried

• Add openid email profile to the scopes requested (made no difference)
• Tried adding the scopes to the client registration (but this was a bit of desperation, I understand that it's the resource, not the client, that determines the claims)
• Read extensively:
  • Optional claims doco
  • ID tokens doco
  • Identity platform permissions/consent doco
  • SPA (and other platforms) auth scenario doco

I'm expecting to see the additional claims within the Bearer token that I get from POSTMAN, so I can already see they're not present even without my own API running. So I suspect I've missed a configuration step rather than have a bug in my code.

It's clear to me that I've missed and/or misunderstood something here, and I'm stuck.

Answer 1

As discussed in the comments, you need to configure the optional claims on the access token for the API, not the ID token. Since you are getting an access token in Postman.