CODEWITHSUNDEEP
c#azure-active-directorymicrosoft-graph-apiclaims
Andrii Diachenko
Andrii Diachenko

Reputation: 253

Graph Client - Azure AD JWT Custom Claims

I'm trying to set up custom claims for Client Credentials auth flow in Azure AD.

Using Graph Client in C#.

However, I do not get my claim in token.

The flow I'm using currently is following:

  1. Create an Application
  2. Create Service Principal
  3. Create Extension Property on Application
  4. Create Claims Mapping Policy
  5. Add Additional Data to Application - assign value to extension property
  6. Assign Claims Mapping Policy to Service Principal

Creating extension property:

await _graphClient.Applications[app.Id].ExtensionProperties.Request()
    .AddAsync(new ExtensionProperty
    {
        Name = policyName,
        DataType = "String",
        TargetObjects = new List<string> { "Application" }
    });

Creating Claims Mapping Policy:

string appClientIdFormatted = clientId.Replace("-", null);

var claimsMappingPolicy = new ClaimsMappingPolicy
{
    Definition = new List<String>()
    {
        "{" +
           "\"ClaimsMappingPolicy\":{" +
                "\"Version\":1," +
                "\"IncludeBasicClaimSet\":\"true\", " +
                "\"ClaimsSchema\": [" +
                    "{" +
                        "\"Source\":\"application\"," +
                        $"\"ExtensionID\":\"extension_{appClientIdFormatted}_{policyName}\"," +
                        $"\"JwtClaimType\":\"{policyName}\"" +
                    "}" +
                "]" +
            "}" +
        "}"
    },
    DisplayName = displayName,
    IsOrganizationDefault = true
};

await _graphClient.Policies.ClaimsMappingPolicies.Request()
            .AddAsync(claimsMappingPolicy);

Assigning value to extension property

var clientIdFormatted = app.AppId.Replace("-", null);

await _graphClient.Applications[app.Id].Request().UpdateAsync(new Application
{
    AdditionalData = new Dictionary<string, object>
    {
        { $"extension_{clientIdFormatted}_{policyName}", tenantId }
    }
});

Is there something I'm missing?

Upvotes: 0

Views: 750

Answers (1)

Rukmini
Rukmini

Reputation: 16084

Please note that, by using Client Credentials auth flow adding any additional custom claims is not supported for now.

If you need custom claim in the token, you have to use either Authorization code flow, ROPC flow, Implicit flow authentication flows to generate the token by referring the SO Thread which was solved by me.

I tried to reproduce the same in my environment and added the custom claim.

After generating the token using Client Credentials auth flow, I decoded the token via jwt.ms and the custom claim which I created was not included in the response like below:

enter image description here

To confirm the above, please refer below links:

Add custom claims to azure b2c client credentials flow by Jas Suri - MSFT

Add custom claims to azure b2c client credentials flow by ShwetaMathur

Upvotes: 1

Related Questions