How add custom claim to Azure AD access token (JWT) at token request time?

Question

The current JWT from Azure AD has the following structure:

AzureAD JWT:

{
  "aud": "a5aa555a-aa55-5aaa-5a55-555a5aa55a5a",
  "iss": "https://sts.windows.net/a5aa555a-aa55-5aaa-5a55-555a5aa55a5a/",
  "iat": 1547084136,
  "nbf": 1547084136,
  "exp": 1547089036,
  "acr": "1",
  "aio": "aaaaaaaaaaaaa==",
  "appid": "a5aa555a-aa55-5aaa-5a55-555a5aa55a5a",
  "appidacr": "1",
  "email": "bob@bob.com",
  "idp": "https://sts.windows.net/a5aa555a-aa55-5aaa-5a55-555a5aa55a5a/",
  "ipaddr": "192.168.1.1",
  "name": "Bob Bob",
  "oid": "a5aa555a-aa55-5aaa-5a55-555a5aa55a5a",
  "roles": [],
  "scp": "Directory.AccessAsUser.All User.Read",
  "sub": "a5aa555a-aa55-5aaa-5a55-555a5aa55a5a",
  "tid": "a5aa555a-aa55-5aaa-5a55-555a5aa55a5a",
  "unique_name": "bob@bob.com",
  "uti": "kjkugiugi",
  "ver": "1.0"
}

I want to add in an extra few claims such as departmentId, someOtherCustomInfo. I want to do this in my token request, not have this preset. How would I do that?

Currently, I use ADAL4J to get the token:

//Represents the authority we are asking to provide tokens
AuthenticationContext context = new AuthenticationContext(
    authority,
    true,
    Executors.newFixedThreadPool( numInPool )
);

Future<AuthenticationResult> future = context
    .acquireTokenByAuthorizationCode(
        authCode,
        new URI( redirectUri ),
        credentials,
        resource,
        null
    );

AuthenticationResult authResult = future.get();

//The token
String token = authResult.getAccessToken();

I know this is old, but did you ever find an answer to this? I'm trying to do the exact same thing. I'm wondering if you can simply generate a new token on the server if you have the client secret. Looking at ApiManagementGateway, it simply uses the client secret to test if the signature is valid for the claims given. If you sign a brand new token with the same client secret and whatever custom properties you add, would it be valid? — Tim Hardy, Feb 08 '20 at 06:58
@TimHardy There's no way to do it. You have to create your own token if you want to add custom claims. — Don Rhummy, Feb 10 '20 at 17:54

score 0 · Answer 1 · answered Jan 31 '19 at 09:08

0

The JWT token emitted by the Azure AD (irrespective of whether it is an access token or an id token) does not contain much useful information except the email address and some other fields.

Then we need more claims as a part of the JWT token apart from the default claims that are present in the JWT tokens.

We can use Custom Claim mapping feature for the same.For further information please go through below link

How to: Customize claims emitted in tokens for a specific app in a tenant

answered Jan 31 '19 at 09:08

Mohit Verma

5,140
2
12
27

For more discreet example go through - https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/ – Mohit Verma Jan 31 '19 at 09:09
2

These don't add claims at token request time. These are calculated before hand – Don Rhummy Jan 31 '19 at 14:42

How add custom claim to Azure AD access token (JWT) at token request time?

1 Answers1

Linked