Reputation: 583
What is the correct syntax to use for a custom claim in an Entra Verified ID rule definition?
I've set up an Entra External ID system, and created a Custom Security Attribute in order to simulate adding custom data to the users who login to my app. (Just a demo at the moment, but hoping to store membership number and membership level in there). I'm trying to use that custom attribute/claim info to be able to issue Verified Credentials that contain their membership number, however it always fails with the same error "Missing provided claims in issuance" - it works fine with using a non-custon field (such as given_name, as per all the examples)
I've tried with Foo.Bar, user.Bar, extension_..._Bar but having no luck.
What is the syntax needed in the Verified Credential rule?
Current failing rule:
{
"attestations": {
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "foobar",
"required": true,
"inputClaim": "Foo.Bar",
"indexed": false
}
],
"required": false
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"Foobar"
]
}
}
Error from Issue api using the demo 1-asp-net-core-api-idtokenhint C# project:
issuance error: "Something went wrong calling the API:
{
"requestId": "2b020237faffd90eaed9d034a296775e",
"date": "Tue, 21 May 2024 22:43:44 GMT",
"mscv": "cpMoovB/XjpznKMR.3",
"error": {
"code": "badRequest",
"message": "The request is invalid.",
"innererror": {
"code": "badOrMissingField",
"message": "Missing provided claims in issuance: [Foo.Bar]",
"target": "claims"
}
}
}"
Custom Attribute setup:
User configuration:
Upvotes: 0
Views: 175
Answers (1)
Reputation: 3157
This is the syntax for both files so you can successfully issue and verify credentials with custom claims.
Display definition:
{
"locale": "en-US",
"card": {
"backgroundColor": "#ffffff",
"description": "With verified patient card you can sign in faster and access your medical data.",
"issuedBy": "Formula Healthcare",
"textColor": "#055C9D",
"title": "Verified Patient",
"logo": {
"description": "Formula Healthcare Logo",
"uri": "https://strf5verifiediddev.blob.core.windows.net/vc-public/fh-logo.png"
}
},
"consent": {
"instructions": "Accept credential to confirm that you are verified patient.",
"title": "Accept credential for Verified Patients"
},
"claims": [
{
"claim": "vc.credentialSubject.fullName",
"label": "Full name",
"type": "String"
},
{
"claim": "vc.credentialSubject.nationalHealthcareId",
"label": "National Healthcare ID",
"type": "String"
}
]
}
Rules definition:
{
"attestations": {
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "fullName",
"required": false,
"inputClaim": "fullName",
"indexed": false
},
{
"outputClaim": "nationalHealthcareId",
"required": false,
"inputClaim": "nationalHealthcareId",
"indexed": false
}
],
"required": true
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedPatient"
]
}
}
As you can see above you can create mappings for claims in VC (and use different names than initially defined, using input and output claim definition). However, I recommend to use the same names for both, input and output claims. I hope this helps.
Upvotes: 2
Related Questions
- Entra ID - Adding actor claim to the token via client credential flow
- How to configure Entra ID Provisioning with Agent for Intranet-use?
- Use Entra ID as Identity Provider for Client Credentials flow
- Entra External ID custom claim in client id token not in ASP.NET Core Web API User's ClaimsPrincipal
- How can I add a custom attribute to the Entra ID access token?
- Rule Syntax for Azure user.memberof
- Azure Entra ID App registration fail to add custom claim to Access Token
- Microsoft Entra - Attribute Assignment Administrator cannot see Custom Security Attributes for any user