0

I am able to use claims mapping to add extenstion properties into an id_token. Is there a way to do that in an access token ? (Or is my only option to call Graph for that) ?

dish
  • 47
  • 6

1 Answers1

0

Assigning the claimsMappingPolicy to the servicePrincipal which represents the client app will add custom claim into id token. In order to add the custom claim into access token, you need to assign the claimsMappingPolicy to the servicePrincipal which represents the backend API, just like what you have done in the client app.

See detailed steps from this answer.

Please note that it only applies to the scene that you are trying to call your own API which is protected by AAD. If you are calling Microsoft Graph, you cannot make it work because it's impossible to configure claimsMappingPolicy from Microsoft Graph side.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • My ignorance in Azure is going to show through so please bear with me Allen. My organization has a bunch of extension properties for a given user ..for example when I do
    Get-AzureADUser -ObjectId | select -ExpandProperty ExtensionProperty I get extension_id1_businessdataattribute-1 extension_id1_businessdataattribute-2
    My client applicatation id is different from the extenstion_id1 but when I do a claims mapping on my client application service principal I do see claims mapping show up on the id token. I have my own API which has its own appid (lets say id3).     – dish Dec 17 '20 at 22:25
  • When I create a claimsMapping for my api (id3) and the claims mapping refers to id1 ( {source =user, id="extenstion_id1_businessdata_1, jwtClaimtype="someclaim} ) It doesnt show up on access token. The fact that it showed up on the id token of a client app makes me think that this should work. Am I wrong? (sorry had to add two comments) – dish Dec 17 '20 at 22:26
  • @dish Based on your description, I think the steps you are taking are correct. But maybe there are still something else you missed. Do you fully follow the steps in this [answer](https://stackoverflow.com/questions/63483491/how-to-add-a-custom-claim-and-retrieve-the-same-as-part-of-access-token-when-th?answertab=votes#tab-top)? After you create the claimsMappingPolicy, you neede to assign it to your api(id3). Are you sure you are using the correct object id of api(id3)? I have some screenshots about how to find it in that answer. – Allen Wu Dec 18 '20 at 02:58
  • @dish And don't forget to configure the manifest file of the app registration of your api(id3). If it still doesn't work, please share the full request (including request body) about how you get the access token. – Allen Wu Dec 18 '20 at 03:00
  • I have a powershell setup to create a claims mapping policy, the I get a service principal using `$appID = "cleintId of the API" $policyName = "NameOfThePolicy" #service principal of the API $sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')" ` Then issue this `$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition ($claimsMappingPolicy) Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id` – dish Dec 18 '20 at 18:19
  • Went to the manifest and change acceptClaimsMapping to true and version to 2 – dish Dec 18 '20 at 18:20
  • Authorize endpoint I pass a scope of openid profile api:// – dish Dec 18 '20 at 18:25
  • //login.microsoftonline.com/{tenantid}/oauth2/v2.0/token/token `grant_type: "authorization_code" code: "aaaaa" redirect_uri: "myredirecturi" code_verifier: "XXXXXX" client_id: "client-id-value " ` I get a response back `{token_type":"Bearer","scope":"api://myapi/scope","expires_in":3599,"ext_expires_in":3599,"access_token: value, refresh=value, id_token=value" – dish Dec 18 '20 at 18:28
  • My id_token doesnt have the mapped claim I am assuming because I didnt assign the claimsmapping policy to the webclient app? – dish Dec 18 '20 at 18:29
  • Do I have to add anything to the optionalClaims attribute in manifest? – dish Dec 18 '20 at 19:14
  • @dish Looks like your steps are correct. But I remember there is something wrong with AAD Oowershell cmd before. Do you mind trying it with Microsoft Graph? – Allen Wu Dec 21 '20 at 02:42
  • @dish "My id_token doesnt have the mapped claim I am assuming because I didnt assign the claimsmapping policy to the webclient app?" -- **YES**. – Allen Wu Dec 21 '20 at 02:43
  • @dish `//login.microsoftonline.com/{tenantid}/oauth2/v2.0/token/token grant_type: "authorization_code" code: "aaaaa" redirect_uri: "myredirecturi" code_verifier: "XXXXXX" client_id: "client-id-value ", scope: "openid profile api:// – Allen Wu Dec 21 '20 at 02:46
  • @dish If so, I can't tell what is wrong with your steps. I suggest that you have a try with Microsoft Graph. You can sign into [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) for quick test. – Allen Wu Dec 22 '20 at 03:47