I am attempting to setup a custom claims provider, following the microsoft articles (https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-claims-provider-overview).
I have a simple Typescript Function App with the following code:
import { AzureFunction, Context, HttpRequest } from "@azure/functions"
const httpTrigger: AzureFunction = async function (context: Context, req: HttpRequest): Promise<void> {
context.log(`request method: ${JSON.stringify(req.method)}`);
context.log(`request headers: ${JSON.stringify(req.headers)}`);
context.log(`request body: ${JSON.stringify(req.body)}`);
const correlationId = (req.query.correlationId || req.body?.data.authenticationContext?.correlationId);
context.log(`correlationId: ${JSON.stringify(correlationId)}`);
const user = req.body?.data?.authenticationContext?.user;
context.log(`user: ${JSON.stringify(user)}`);
context.res = {
body: {
data: {
"@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
actions: [
{
"@odata.type": "microsoft.graph.tokenIssuanceStart.provideClaimsForToken",
claims: {
correlationId,
customRoles: [
"Writer",
"Editor"
]
}
}
]
}
}
};
};
export default httpTrigger;
Note that I can successfully deploy this code to the function app on my account, and it "successfully" executes everytime that someone logs in to the application.
Despite this "successful" execution, however, I do not get a successful response back from the token request. Instead I'm seeing error responses from the token endpoint like this:
{"error":"invalid_request","error_description":"AADSTS1100001: Non-retryable error has occurred.\r\nTrace ID: 23b605c1-9c02-406c-89ea-5548cf6f8300\r\nCorrelation ID: cbcd178c-4859-40c5-9193-43693382f315\r\nTimestamp: 2023-05-02 09:45:47Z","error_codes":[1100001],"timestamp":"2023-05-02 09:45:47Z","trace_id":"23b605c1-9c02-406c-89ea-5548cf6f8300","correlation_id":"cbcd178c-4859-40c5-9193-43693382f315"}
This error response isn't all that informative about what is going wrong behind the scenes. I haven't found a way to look up any associated logs by the trace_id either. Any advice on how to get this working/get to the underlying error trace would be much appreciated.
This piece of code worked for me. The odata.type and the content-type header can make all the difference. It is all outlined in the Microsoft article referenced in the original question, even though the example given is in C#.
import { AzureFunction, Context, HttpRequest } from "@azure/functions"
const httpTrigger: AzureFunction = async function (context: Context, req: HttpRequest): Promise<void> {
//context.log('HTTP trigger function processed a request.');
const correlationId = (req.body && req.body.data.authenticationContext.correlationId)
const response =
{
"data": {
"@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
"actions": [
{
"@odata.type": "microsoft.graph.provideClaimsForToken",
"claims": {
"correlationId": `${correlationId}`,
"organization": "myorg",
"apiVersion": "1.0.0"
}
}
]
}
};
context.res = {
// status: 200, /* Defaults to 200 */
body: response,
headers: {
'Content-Type': 'application/json'
}
};
};
export default httpTrigger;