Azure AD Custom Claims in JWT

后端 未结 1 1790
别那么骄傲
别那么骄傲 2021-01-13 22:40

I have an Azure AD app and I am trying to add custom claims to a JWT. I\'m using the claims mapping feature in Azure for my specific app, and updated the app manifest in the

相关标签:
1条回答
  • 2021-01-13 23:20

    Based on this official doc :

    Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is Graph. Thus, the access token is created using the Graph manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for Graph to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

    And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.

    For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.

    This is my policy role assignment command :

    $nsp = New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"
    
    Add-AzureADServicePrincipalPolicy  -RefObjectId $nsp.Id -Id '<obj id of service side app>'
    

    Token result :

    What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .

    Hope it helps .

    0 讨论(0)
提交回复
热议问题