Entra External ID custom claim in client id token not in ASP.NET Core Web API User's ClaimsPrincipal
I have setup a Entra External ID Tenant and registered two applications "frontend" and "backend". The frontend is an Angular application and the backend is an ASP.NET Core application.
So far I can authenticate the client and read the user's roles from the claims in my web api controller like this:
var user = (HttpContext.User.Identity as ClaimsIdentity);
if(user == null){
return Array.Empty<RolesEnum>();
}
var roles = user.Claims.Where(claim => claim.Type == ClaimTypes.Role)
I have created a custom attribute for my user and did set it via Microsoft.Graph. When I include the custom attribute in the ID Token of the frontend, the Angular application will find the ID token in the the user object returned from the MSAL Library.
I need this value on the server side but the Bearer Token does not include this value, even if I configure the custom attribute for the Token type "Access".
Do I understand correctly, that Token configuration for my backend app is actually for the comunication between backend and other services?
Why is this custom attribute not in the Access Token (is that the bearer Token?) even if I configure it like that?
I created two Microsoft Entra ID applications and BackEnd and FrontEnd:
In BackEnd I exposed and API and added scope:
In FrontEnd, I granted API permissions like below:
And created a custom attribute and assigned to the user via Microsoft Graph API.
In FrontEnd, added the custom attribute in Token configuration blade:
And generated tokens via Postman by using below parameters:
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : FrontEndClientID
Client Secret : ClientSecret
Scope: api://BackEndClientID/access.app
And got the same issue as you, custom claims displayed in ID token not in Access token.
Note that: To display custom claims in access token you need to generate the token for your application. Refer MsDoc
Hence to resolve the issue, you need to create extension by passing the BackEnd application ObjectID:
POST https://graph.microsoft.com/v1.0/applications/BackEndappObjID/extensionProperties
Content-type: application/json
{
"name": "PersonID",
"dataType": "String",
"targetObjects": [
"User"
]
}
Assign the value to the user:
PATCH https://graph.microsoft.com/v1.0/users/UPN
Content-type: application/json
{
"extension_XXX_PersonID": "XXX"
}
And now in the BackEnd application, configure option claims:
I generated the tokens again, and now successfully both in ID and access token:
Access Token:
ID Token:
- Scope is not being added to Access Token returned from Azure Ad
- az cli : create container app via yaml fail due to parsing to json
- Display agents API ADO with SystemCapabilities filter
- Azure devops variables are not updating
- Azure DevOps Pipeline Throwing Error with Terraform While Deploying to Azure
- Azure AppService and SQL Server in Docker compose can't connect
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- MongoDB - conditional uniqueness constraints on different "id" fields
- Retry delay on Function with Azure ServiceBus queue trigger
- Azure Static Web App: Add an header for each JS file
- How to configure Application Insights for sending telemetry from .net 4.8 application
- IServiceCollection does not contain a definition for AddAzureClients
- How to authenticate with Azure ACR from Azure container app service
- Azure Cli how to change subscription default
- Problem RDP to Azure Virtual Desktop through Azure Firewall
- az role assignment delete: The request did not have a subscription or a valid tenant level resource provider
- Azure PIM Role Settings for Owner role
- Graphclient ArgumentException: Only HTTP/1.0 and HTTP/1.1 version requests are currently supported. Parameter name: value
- Azure Static Web App ignoring config json sometimes
- How do I avoid "Couldn't find a metric" when creating a metric alert in Bicep
- Using Az.Websites module to set up user assigned managed identity to pull image from ACR
- resource not found with Azure OpenAI service
- Why I'm getting 404 Resource Not Found to my newly Azure OpenAI deployment?
- Azure Service Bus Topic - Using REST API to Send Message - Message going into Dead Letter Queue
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Azure Service Bus - REST API - Sending a message to a Session Enabled Topic/Subscription
- How are you supposed to install a Python library using azure webapp as template?
- Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- Search-AzQuery querying authorizationresources returns 0 records
- Azure APIM: Identifying the API resource id from the portal