I have old asp.net mvc app that uses asp.net membership to login users and issues a sign in cookie. My application needs to call an API protected by Entra ID (users themselves don’t have Entra ID accounts nor access to the API). The app server can acquire a token for the API using client credentials flow (service principal or Azure managed identity).
Is there a way to add “actor” claim (or any arbitrary-name claim) to the access token that’s issued for the app server, that would contain a username of my membership user?
It seems I can’t use on-behalf-of flow since my users aren’t registered in Entra and don’t have access to the API themselves, so I’m stuck with Client Credentials flow.
There is “claims” parameter in TokenRequestContext but that doesn’t seem to have any effect – claims passed to Entra ID token endpoint seem to just be ignored. I wonder why that parameter is even in there.
var azureCredential = new ManagedIdentityCredential();
var claimsDict = new Dictionary<string, string>
{
{ "actor", "[email protected]" }
};
var claimsJson = JsonConvert.SerializeObject(claimsDict);
var context = new TokenRequestContext(scopes: new[] { scope }, claims: claimsJson);
var accessToken = await azureCredential.GetTokenAsync(context);
return accessToken.Token; // Doesn't have "actor" claim.
My last resort solution is to pass “actor” as a custom HTTP header, add a custom role to the Service Principal (something like “can_specify_actor”) and have API to take the actor from the headers if a user has this role. This is far from ideal, it would be much better if the claim was in the jwt.