5

I am integrating an web app that uses a custom claim called "entitlements" in an access token which has 1 or more values that specify the privileges of the user within the app, i.e. user, reports, admin... Users are assigned one or more of these values. When I built it, I looked to see if Azure Active Directory would support adding this custom claim into the JWT and all the evidence indicated it was possible. Now that it is built I am trying to actually implement the integration with AAD. But it is not working. None of the instructions that I have come across actually work. The claim isn't present within the Access Token when generated and I cannot find a way to tell Azure to add it.

I have added a custom security attribute called "entitlements", added it to a user account with a value, gave the application as many API permissions that I can find and yet, when it comes time to add the custom attribute as a claim under Manage Claim, it is not visible. Only the user profile values are visible. Nothing that I do, changes the list of values. They only contain the "user.*" properties.

My steps to get to this point:

  1. Create a free Azure AD account and elevate it to P2 license level.
  2. Elevate my user account to create custom security attribute definitions.
  3. Create custom security attribute definition.
  4. Create a custom security attribute with 8 different possible values that can be selected.
  5. Under user, add a custom security attribute with at least one value selected.
  6. Back under the application registration, api permissions, add all permissions that allow access to all possible values that might be relevant.
  7. Under Manifest, changed accessTokenAcceptedVersion to 2
  8. Added the optionalClaims within the Manifest, added the custom security attribute named "entitlements" with source as "user"
  9. Tried to add Optional Claim "entitlements" but not present. Addition of entry typed into Manifest indicates it will not be added to JWT since it is not a valid claim.
  10. I went to enterprise application, single sign on, Manage Claims, clicked on Add a claim, and looked for entitlements but only user.* properties are there from the profile area of a user.
  11. Typing the source attribute for entitlement just makes a string appear with the text "entitlements"

So has anyone successfully added an application with custom attributes attached to a user profile that are select-able and configured to have those attributes show up as a JWT claim? What did you do differently?

Improve this question
1
  • I'm not sure if you mean custom attributes (for ABAC/RBAC with Conditions)? If so, there's a solution here: stackoverflow.com/a/77041860 Although they used extension properties :/ Your approach with RBAC is likely more idiomatic anyway :) Commented Dec 27, 2023 at 5:28

1 Answer 1

Reset to default
1

I was unable to add entitlements using the custom security attributes, however, by defining a set of roles within Azure AD and then assigning one of those Roles to the user of the registered app in Azure, I was able to pass the roles claim in the JWT which is standard claim supported in the OAuth2 specification that my app supports. I could not find a way to insert any additional claims that are standard in OAuth2 but not listed as an optional or explicitly listed claim. The documentation states it can be done but I was not able to obtain a working result. Even adding custom static claim did not work for me.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
I just realized that post links here :0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.