I have setup a Entra External ID Tenant and registered two applications "frontend" and "backend". The frontend is an Angular application and the backend is an ASP.NET Core application.
So far I can authenticate the client and read the user's roles from the claims in my web api controller like this:
var user = (HttpContext.User.Identity as ClaimsIdentity);
if(user == null){
return Array.Empty<RolesEnum>();
}
var roles = user.Claims.Where(claim => claim.Type == ClaimTypes.Role)
I have created a custom attribute for my user and did set it via Microsoft.Graph. When I include the custom attribute in the ID Token of the frontend, the Angular application will find the ID token in the the user object returned from the MSAL Library.
I need this value on the server side but the Bearer Token does not include this value, even if I configure the custom attribute for the Token type "Access".
Do I understand correctly, that Token configuration for my backend app is actually for the comunication between backend and other services?
Why is this custom attribute not in the Access Token (is that the bearer Token?) even if I configure it like that?
I created two Microsoft Entra ID applications and BackEnd
and FrontEnd
:
In BackEnd
I exposed and API and added scope:
In FrontEnd
, I granted API permissions like below:
And created a custom attribute and assigned to the user via Microsoft Graph API.
In FrontEnd
, added the custom attribute in Token configuration blade:
And generated tokens via Postman by using below parameters:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : FrontEndClientID
Client Secret : ClientSecret
Scope: api://BackEndClientID/access.app
And got the same issue as you, custom claims displayed in ID token not in Access token.
Note that: To display custom claims in access token you need to generate the token for your application. Refer MsDoc
Hence to resolve the issue, you need to create extension by passing the BackEnd
application ObjectID:
POST https://graph.microsoft.com/v1.0/applications/BackEndappObjID/extensionProperties
Content-type: application/json
{
"name": "PersonID",
"dataType": "String",
"targetObjects": [
"User"
]
}
Assign the value to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_PersonID": "XXX"
}
And now in the BackEnd
application, configure option claims:
I generated the tokens again, and now successfully both in ID and access token:
Access Token:
ID Token: