0

We can successfully acquire a token using the following code:

var certificate = Certificate.Load("Client.pfx", "notasecret");
var authenticationContext = new AuthenticationContext(authority);
var clientAssertionCertificate = new ClientAssertionCertificate(clientId, certificate);
return await authenticationContext.AcquireTokenAsync(resource, clientAssertionCertificate);

The token doesnt seem to contain any information that we can use to identity the client. In our use case we have lots of daemon service clients that communicate to a API. We need to have some unique identified available on the server.

I also tried creating our own JWT token and added some public claims, such as name. However after requesting client assertion type using the following code fragment

var content = new FormUrlEncodedContent(new Dictionary<string, string>
             {
                 { "clientid", clientId },
                 { "resource", resource },
                 { "client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" },
                 { "grant_type", "client_credentials" },
                 { "client_assertion", jwt }
             });
             var httpClient = new HttpClient
             {
                 BaseAddress = new Uri("https://login.windows.net/{guid}/")
             };
             var response = await httpClient.PostAsync("oauth2/token", content);

The return token had none of my custom information.

Question: Is there a way to pass custom claims using ClientAssertionCertificate flow? where the token returned has additional information.

Haroon
  • 1,052
  • 13
  • 28

1 Answers1

1

There is currently no way of adding custom claims in tokens issued for applications. The token you receive should contain the claims appid (which identifies the client_id of the application who requested the token) and tid (which indicates which azure AD tenant the app is operating on). Those two should be enough for you to identify the calling application. Now, if rather than the application you want to identify the process (as in, instance of application X running on server A and instance of application X running on server B) then I don't believe we have anything in Azure AD today that would help you to tell the two apart - for Azure AD if they have the same client_id and secret, they are the same application.

vibronet
  • 7,364
  • 2
  • 19
  • 21