A client I'm working with has AD FS 2019 installed on a server, and we have configured up a server application which we can successfully use to log in with OpenID Connect. We're redirected to the redirect URI, and receive a id token and an access token from the token endpoint.
However, I can't see anywhere to add claims to the ID token. In the properties for the server application, we can add redirect URIs, and we see the client ID, and that's about it. It it possible to add claims to the id and access tokens?
The only way we've managed to do it, is to create a web API application in the same application group in AD FS. There we can customize the tokens. But, that seems like not the best approach. Basically, the web API application only exist to modify the tokens we fetch when the user logs in.
This question seems to be about the same problem, but the last comment is from December 2017. I am hoping for some new information.
This guide from the documentation talk about customizing the claims in the ID token, but they too create a web API application for it. Is this the best practice way? I'm not familiar with AD FS, so any feedback would be appreciated.
The problem is that creating an application does not allow you to view the tab to create claims rules.
Hence you cannot add claims.
The only place to see this tab is on a web API.
Hence the approach in the documentation.
So it's not so much best practice as this is the only possible way!