0

Is there a way to add custom claims to a JWT (access token) other than adding the optional claims?

Our situation is that we receive requests from external clients with access tokens signed by a trusted party. We need to validate the token and then add some additional claims before routing the request to the protected API. The values of the additional claims needs to be fetched from an external API, so there is no way to use the provided "optional claims" in the Token configuration settings.

Does anyone know if this is possible with Azure AD? We have been able to do this using IdentityServer which of course is very flexible. But it would be great to simplify our architecture/design by only having Azure AD as our IDP/STS.

soreng
  • 1
  • 1

1 Answers1

1

You can customize claims emitted in tokens for a specific app in a tenant. (This is using PowerShell cmdlet)

Here is another way using Microsoft Graph:

  1. Create an extensionProperty.

  2. Update the extension property for a user.

  3. Create a claimsMappingPolicy.

  4. Assign the claimsMappingPolicy to a servicePrincipal. The servicePrincipal here is the enterprise application which represents your AAD protected API.

  5. In the manifest file of the API app registration. Set acceptMappedClaims to true and accessTokenAcceptedVersion to 2.

After that you can get the custom claim in the JWT token.

For details, see my previous answer.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • 1
    Thanks. I am not seeing how I dynamically can set the value of the custom claims calling an external REST API from these steps? The specific requirement is validating a bearer token and then "re-issue" the access token with additional claims using a custom signing key. (will be using https://datatracker.ietf.org/doc/html/rfc7523, that is using the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants framework) – soreng Jun 23 '21 at 05:25