0

I am implementing a client credentials grant in ADFS3.0. This works based on the scenarios and developer examples.

I want to add an issuance transform rule that uses the client_id to lookup extra claims in a custom sql attribute store.

c:[Type == "???"]
 => issue(store = "Custom Attribute Store", types = ("XYZ"), query = "SELECT claimValue from dbo.ClientClaims WHERE clientId= {0}", param = c.Value);

What is the correct value for Type to find the client_id?

stombeur
  • 2,704
  • 22
  • 45

2 Answers2

1

You can retrieve the appid using the following:

appid:[Type == "http://schemas.microsoft.com/2014/01/clientcontext/claims/appid"]

This will grant you access to the appid (The 36 character identifier for your client) to use in your custom rule.

expenguin
  • 1,052
  • 2
  • 21
  • 42
0

Claims work off AD and clientID is not an AD attribute.

The only way I can think of is to use a static claim where the clientID is hard-coded with a Type like "http://company.com/clientID" and then use that in the above rule.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • thanks. So the feature in identityserver where you add client claims is not something you are able to do in adfs? – stombeur Jun 13 '18 at 12:54
  • When I look in the generated bearer token, the clientId is there, but renamed as "appid". But I suppose that is after the transformation? – stombeur Jun 13 '18 at 13:03
  • There is a difference between the standard attributes in the JWT and augmenting this via claims. If appid is what you want, can you use that? – rbrayb Jun 13 '18 at 18:36
  • it's ok for now, but would have been nice to add specific claims to specify what the client is allowed to do. Like scopes. appid is not available in the transform rules, so I can't use that to lookup extra claims. But it'll have to do for now. Thanks! – stombeur Jun 14 '18 at 07:45