Search code examples
azureoauth-2.0jwtazure-active-directoryopenid-connect

Azure AD: Roles claims missing in access token

For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend. So I can get both, the id_token and the access_token, with a request to this url:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE

This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.

When I use this Url to only get an id_token, the role claims are included:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE

The difference is I request only the id_token and not the token and I leave out the resource parameter.

My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?

edit: This is how the approles are defined in the app's manifest:

{
  "appId": "MY_CLIENT_ID",
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "c200e304-fff3-49f1-a4df-e406741ea690",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "admin"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Reader",
      "id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "reader"
    }
  ],
  "availableToOtherTenants": false,
  ...
}
Solution

  • I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.

    As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.