Reputation: 199
Add custom claim onPremisesSamAccountName into access_token on Azure AD app registration Authentication
I have an Azure App registration using OAuth2 for authentication. My requirement is for the user value "onPremisesSamAccountName" to be passed on the access_token when the authentication flow happens. I'm currently testing this flow using google Oauth playground by setting the athorize and token endpoints I get from my App registration on Azure, as well as the OAuth client ID and secret.
So far I have tried to follow these Microsoft questions:
Which explain that you have to create an Azure AD policy of type "ClaimsMappingPolicy" and link this policy to the service principal (my enterprise app registration's object Id) using Powershell. I have followed this but my custom claim appears on the id_token returned from the authentication flow rather than on the access_token.
My question, is there a way to expose a custom claim on the access_token and NOT on the id_token for an app registration using Oauth2 authentication? Is there maybe a configuration missing on my app registration that causes my custom claim to be set to the id_token?
I am NOT trying to set a user role to the access_token but rather exposing a custom claim that my Azure AD has for every user on the access_token during authentication.
To obtain the token, I'm using Google's OAuth 2.0 Playground. I set my OAuth endpoints and secrets:
And then on the "Select & authorize APIs" i set it to openid:
Upvotes: 0
Views: 1154
Answers (1)
Reputation: 15444
I created a policy and assigned the policy to the Service Principal like below:
New-AzureADPolicy -Definition @('
{
"ClaimsMappingPolicy":
{
"Version":1,"IncludeBasicClaimSet":"true",
"ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"employeeid"}]
}
}') -DisplayName "employeeid" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId 'PolicyID' -Id 'ServicePrincipalObjID'
I assigned the policy to the user:
PATCH https://graph.microsoft.com/v1.0/me
{
"onPremisesExtensionAttributes": {
"extensionAttribute1": "3394"
}
}
Note that: To display the custom claim in the access token you have to generate access token for your application not any other application (like Microsoft Graph, SharePoint etc). Refer this.
I exposed an API in the Azure AD Application and added scope:
I added API permissions:
Generated tokens via Postman using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:api://xxx/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I decoded the access token, the custom claim displayed successfully:
Make sure to update "acceptMappedClaims" as true in the Manifest of the Azure AD Application.
I tried to generate the tokens for Microsoft Graph scope:
scope:https://graph.microsoft.com/.default
When I decoded the access token, custom claims dint display:
But in ID Token the custom claims displayed:
Upvotes: 1
Related Questions
- JWT refresh token flow
- What are the main differences between JWT and OAuth authentication?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Can't get email claim in access_token in Azure AD
- Add Custom value in UPN claim in Access Token generated using Azure AD Client Credential Flow
- How to enable CORS in an Azure App Registration when used in an OAuth Authorization Flow with PKCE?
- How to add roles claim in access_token , currently it is coming in id_token?
- Can't get access token from HttpContext for AAD with OpenIDConnect
- Azure AD OIDC ID Token for Service Principal
- Azure mobile app authentication custom