0

I am trying to supply a username to a third party application that will occasionally be different than the users SAM.

I've got it working on the ID token by defining it in OIDC-based sign-on. The recipient of the token needs the claim to be in the Access Token and not ID token.

I've tried adding this (and other variations such as user.extensionattribute15) to the manifest:

"optionalClaims": {
        "accessToken": [
            {
                "additionalProperties": [],
                "essential": false,
                "name": "extensionAttribute15",
                "source": "user"
            }
        ],
        "idToken": [],
        "saml2Token": []
    },

but no luck, anyone who could point me in the right direction?

I've tried a bunch of different formats, such as user.extensionattribute15 with source as null and user etc.

Improve this question

2 Answers 2

Reset to default
0

What you can do is to edit the optional claims in the Enterprise Application (Service Principal) which is connected to the App Registration. In the Enterprise Application you can configure optional claims that should be passed to ID and access tokens.

  1. Go to the Enterprise Application you want to edit
  2. Select Single sign-on
  3. Edit Attributes & Claims

Attributes & Claims edit

  1. Click on Add new claim

Add new claim

  1. Add your specific claim and Save

User claim

Afterwards you should see the optional claim in the Enterprise Application and should get your user.extensionattribute15 as your configured claim in the ID and access token.

new claim

If you can not see the claims in your token you need to configure the manifest of your App Registration if it is a single tenant app or you need to provide a custom signing key.

If you have a single tenant app you can add and set the following property in the manifest to true:

"acceptMappedClaims": true

If it is a multi tenant app you need to create a configure signing key which is described here: https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization?WT.mc_id=Portal-Microsoft_AAD_IAM#configure-a-custom-signing-key

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

To get the optional claim into access token

Ensure that value of optional claim extension_attribute15is correctly defined.

Update the application manifest to "acceptMappedClaims": true, and "accessTokenAcceptedVersion": 2,.

Initially, I registered application and added optional claims displayName and extensionattribute15 :

enter image description here

Now, I added ApplicationID URI and Exposed an scope:

enter image description here

I added the same scope as API in API Permission blade:

enter image description here

Note: Custom claims are included in access token only when the scope is passed as your custom API not Microsoft Graph. Hence request a token for your application, not another app.For more details Refer this MsDoc

Now to get the claims into access token, Need to generate the access token with scope of api://<application_id>/.default.

I am using delegated type, authorization_code flow, using below parameters to generate the access token and id_token:

GET https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id: <application-id>
client_secret: <client-secret>
scope: openid api://<application_id>/.default
grant_type: authorization_code
code: <authorization_code generated from browser>
redirect_uri: <REDIRECT_URI

Response:

enter image description here

I decoded this access token and id_token into https://jwt.ms and I got optional claims successfully.

access token:

enter image description here id token:

enter image description here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.