Search code examples
c#azureazure-active-directorypostmanidentity-management

Azure AD client credentials generated token does not have claims (EDITED)

I have an app registration in which test.user is my scope. In API permissions, I have delegated permissions for test.user scope.

In Postman, I tried like this:

Grant_type   : client_credentials
Clienid      : my appid
scope        : api:\\.....id\.default
Client_secret: secret

I'm able to get an access token. But if I pass this token as authorization bearer, my app is always treating as user authenticated as false with no claims. Please help why no claims.

Also if I don't add .default and simply add scope value as api//myid/test.user it's throwing error as you have to use .default. Why?

Hi, Thankyou for your answer. I need to wait for admin to turn on application permission for the role as I do not have access.

Meanwhile, I want to explain the actual problem.

I have my application backend (api). I have created appregistration with clientid, clientsecret, scope etc., NOW from my UI (angular) was able to authenticate api (Swagger) by passing my microsoft login and user is authenticated its fine. My api swagger is below. swagger looks like below

However, I have few other clients who want to call my api endpoints. So for that, it should not be interactive login. as there is some kind of job they run and it has to get api response automatically without prompting for user logins etc., So I thought, i can use client credentials for this. Please let me know is client credentials grant is really needed or do i need to go with some other granttype. If so please explain.

EDIT2: httpcontext claims are as below. Claims

Thankyou.

portal

Solution

  • Note that: Client credential flow uses its client ID and client secret to the authorization server and performs authentication.

    • Client credential flow is nonuser interactive flow.
    • It supports only application type API permissions.
    • Delegated API permissions are supported for user interactive flow.

    In your scenario, test.user scope is a delegated type of API permission hence the access token will not contain the scp claim with value as test.user .

    • While making use of client credential flow, you must use of suffix /.default and its by default and cannot pass the scope name directly.
    • And user authenticated as false as client credential flow is not a user interactive flow.

    Hence, you have to Expose an API and create App roles while use client credential flow:

    enter image description here

    Now the app role will be an application type API permission:

    enter image description here

    Generated the token:

    GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

Grant_type   : client_credentials
Clienid      : ClientID
scope        : api://ClientID/.default
Client_secret: ClientSecret

    enter image description here

    When decoded, the roles claim is present in the access token:

    enter image description here

    • You cannot configure custom claims or dynamic custom claims while making use of client credential flow. Only displayname, objectid and tags can only be used. Refer this SO Thread by me.
    • If you want to use delegated API permissions, then switch to any user interactive flow and user interactive flow supports all types of custom claims.
    • Refer this SO Thread by me for user interactive flow and custom claims.