Requesting token from azure with claims, the claims are not set

Question

I have a spring boot application and I am trying to request token from azure using the following code:

public String getTokenFromAzure() {
    String token = null;
    ConfidentialClientApplication application = getApplication();
    final String claims = JsonSerializer.convertToJson(new Employee("public"));
    final com.microsoft.aad.msal4j.ClaimsRequest claims1 = CustomClaimRequest.formatAsClaimsRequest(claims);
    ClaimsRequest claims2 = new ClaimsRequest();
    claims2.requestClaimInIdToken(claims, null);
    MyClaims claims3 = new MyClaims();
    claims3.requestClaimInAccessToken(claims,new RequestedClaimAdditionalInfo(true,"value", Arrays.asList("employeeid","dummy")));
    if (application == null) {
        log.error("application is not instantiated");
    } else {
        ClientCredentialParameters parameters = ClientCredentialParameters.builder(Collections.singleton(clientId + "/.default")).claims(claims3).build();
        IAuthenticationResult auth = application.acquireToken(parameters).join();

        if (auth == null) {
            log.info("auth still == null");
        } else {
            log.info("idToken: " + auth.idToken());
            log.info("accessToken: " + auth.accessToken());
            token = isEmpty(auth.idToken()) ? auth.accessToken() : auth.idToken();
        }
    }
    return token;
}

private ConfidentialClientApplication getApplication() {
    if (application == null) {
        try {
            application = ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.createFromSecret(clientSecret)).authority("https://login.microsoftonline.com/" + tenantId + "/").build();
        } catch (MalformedURLException e) {
            log.error("unable to instantiate application for tenant " + tenantId + " with client " + clientId + " with configuration", e);
        }
    }
    return application;
}

static class MyClaims extends ClaimsRequest {

    @Override
    protected void requestClaimInAccessToken(String claim, RequestedClaimAdditionalInfo requestedClaimAdditionalInfo) {
        super.requestClaimInAccessToken(claim, requestedClaimAdditionalInfo);
    }
}

I have tried with claims1, claims2 and with claims3. I am getting a functional access token but the claims are not set.

These are the dependencies that I am using:

<dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>applicationinsights-spring-boot-starter</artifactId>
        <version>2.6.1</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>applicationinsights-logging-logback</artifactId>
        <version>2.6.1</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>azure-active-directory-spring-boot-starter</artifactId>
        <version>2.3.2</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.graph</groupId>
        <artifactId>microsoft-graph</artifactId>
        <version>2.5.0</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.graph</groupId>
        <artifactId>microsoft-graph-auth</artifactId>
        <version>0.2.0</version>
    </dependency>
    <dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>azure-storage</artifactId>
        <version>4.2.0</version>
    </dependency>
    <dependency>
        <groupId>com.azure</groupId>
        <artifactId>azure-identity</artifactId>
        <version>1.3.5</version>
        <scope>test</scope>
    </dependency>
    <!-- https://mvnrepository.com/artifact/com.microsoft.azure/msal4j -->
    <dependency>
        <groupId>com.microsoft.azure</groupId>
        <artifactId>msal4j</artifactId>
        <version>1.11.0</version>
    </dependency>

Does anyone knows the correct way to add the claims into the jwt token?

Answer 1

You can add custom key-value pairs to the JWT's body as custom claims. It may be a user's department at work, a user's role or privilege, or whatever else you need to add to JWT. For instance, I am including two custom claims for the user's role and department at work in the code sample below.

String token = Jwts.builder()
.setSubject(subject)
.setExpiration(expDate)
.claim("Role", "Admin")
.claim("Department", "Product development")
.signWith(SignatureAlgorithm.HS512, secret )
.compact();

In the above code example, Role and Department are two custom claims that I have added. You can expand JWT's body of claims as necessary. Just keep in mind not to include sensitive data such as a user password or token secret. You may examine and decode JWT assertions.

Use the following bit of code to read the custom Claims from the JWT token's body:

    Claims claims = Jwts.parser()         
       .setSigningKey(tokenSecret)
       .parseClaimsJws(jwt).getBody();
     
    // Reading Reserved Claims
    System.out.println("Subject: " + claims.getSubject());
    System.out.println("Expiration: " + claims.getExpiration());
    
    // Reading Custom Claims
    System.out.println("Role: " + claims.get("Role"));
    System.out.println("Department: " + claims.get("Department"));

Remember that JWT is a Base64 encoded string and can be easily decoded. Therefore, you should not put into Claims any user details that are sensitive. Even though the information in Claims cannot be altered, this information can be viewed by the Base64-decoding JWT token.