Adding custom claims to access token issued by Azure ad
im building an web application with next.js i configured its authentication with auth.js with azure ad provider. now im getting accesstoken from there, and i want to pretect with that token my backend asp.net web api, but to do this i need to have custom claims in that token, about department, jobtitle, companyName from azure active directory. So from here is a deep forest of azure portal where i cant understand how to configure my azure ad app with that custom claims.
Some tutorials i used was near the thing what i need but i faced some error in next js:
error_description: 'AADSTS50146: This application is required to be configured with an application-specific signing key
what i just did to the app i went to enterprise application > Single sign-on > Attributes & Claims > Edit > (added user.companyname, user.department, user.jobtitle)
after that my program stopped with that error.
now im looking for solution to make it work and to have those attributes encoded in that jwt access-token
i also did i app registration in Manage: Manifest
"acceptMappedClaims": true,
but that step of application-specifi signing key i dont understand a thing what is it used for how to create it or add this to make it work. any suggestions? or any guides that explain things in human readable language
Initially, I too got same error when I ran the application without setting "acceptMappedClaims": true, property in Manifest:
The error still occurs if you changed the setting in Next JS web application but missed changing in Web API app registration.
To resolve the error, make sure to change below properties in Manifest tab of both app registrations like this:
{
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 2,
}
NextJSApp:
Web API:
As you are generating token with Exposed API scope, make sure to add claims in Web API application like this:
Go to Microsoft Entra ID -> Enterprise Applications -> Select Web API app -> Single sign-on -> Attributes & Claims -> Edit -> Add Claims
In NextJSApp application, make sure to add Web API permission and grant admin consent to it:
Now, I ran the web application again and got tokens in the console like this:
When I decoded this access token in jwt.ms website, I got the custom claims named companyName, jobtitle and department successfully like this:
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?