I have registered a Web API and a Client Application. The authentication works.
Now, if possible, I would like to achieve the following.
I want to register several Client Applications, each setting a different value for a custom “MyClaim” claim.
In the Web API code, I want to be able to read the “MyClaim” value from Access Token.
1
To achieve your scenario, you can create token issuance start event in Azure Functions like below:
Create a function app, create an HTTPS trigger function and paste the below code for configuring claims:
#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
// Read the correlation ID from the Microsoft Entra request
string correlationId = data?.data.authenticationContext.correlationId;
// Claims to return to Microsoft Entra
ResponseContent r = new ResponseContent();
r.data.actions[0].claims.CorrelationId = correlationId;
r.data.actions[0].claims.MyClaim = "App1";
r.data.actions[0].claims.DateOfBirth = "01/01/2000";
r.data.actions[0].claims.CustomRoles.Add("Writer");
r.data.actions[0].claims.CustomRoles.Add("Editor");
return new OkObjectResult(r);
}
public class ResponseContent{
[JsonProperty("data")]
public Data data { get; set; }
public ResponseContent()
{
data = new Data();
}
}
public class Data{
[JsonProperty("@odata.type")]
public string odatatype { get; set; }
public List<Action> actions { get; set; }
public Data()
{
odatatype = "microsoft.graph.onTokenIssuanceStartResponseData";
actions = new List<Action>();
actions.Add(new Action());
}
}
public class Action{
[JsonProperty("@odata.type")]
public string odatatype { get; set; }
public Claims claims { get; set; }
public Action()
{
odatatype = "microsoft.graph.tokenIssuanceStart.provideClaimsForToken";
claims = new Claims();
}
}
public class Claims{
[JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
public string CorrelationId { get; set; }
[JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
public string DateOfBirth { get; set; }
public string MyClaim { get; set; }
public List<string> CustomRoles { get; set; }
public Claims()
{
CustomRoles = new List<string>();
}
}
And click on the Get Function URL -> Copy the default (Function key).
Create custom extension. Go to Enterprise applications -> Custom authentication extensions -> Create a custom extension
In ClientApp1, I granted API permissions like below:
In Manifest updated below values:
"acceptMappedClaims": true,
"requestedAccessTokenVersion": 2
Go to the Enterprise application -> Select ClientApp1-> Single sign-on -> Advanced settings – >Custom claims provider -> Congifure -> Select custom claim provider and SAVE:
And add a new claim:
For sample, I generated the access token:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/app.read&state=12345&nonce=12345
Claims are displayed successfully:
if possible, I would like to achieve the following. I want to register several Client Applications, each setting a different value for a custom “MyClaim” claim.
Yes, you can create Claims like below:
r.data.actions[0].claims.MyClaim1 = "App1";
r.data.actions[0].claims.MyClaim2 = "App2";
r.data.actions[0].claims.MyClaim3 = "App3";
And assign claims to the Enterprise application of each client app respectively and get them in token.
Reference:
Create a REST API for a token issuance event in Azure Functions – Microsoft identity platform | Microsoft