添加Azure Ad Oauth2 JWT令牌声明

Question

I was just wondering if there is a way to add or specify custom claims to the Azure Ad OAuth2 JWT token via Azure Portal? Or is this only possible code side?

Answer 1

As far as I know, the Azure AD doesn't support to issue the custom claim at present.

As a workaround, we can use the Azure AD Graph to add the directory schema extensions . After that, we can use the Azure AD Graph to get the data extension and add the custom claim when the security token is verified like code below:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = context => 
            {
                context.HandleResponse();
                context.Response.Redirect("/Error?message=" + context.Exception.Message);
                return Task.FromResult(0);
            }
            ,
            SecurityTokenValidated = context =>
            {
                //you can use the Azure AD Graph to read the custom data extension here and add it to the claims 
                context.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim("AddByMe", "test"));
                return Task.FromResult(0);
            }
    });

In addition if you have any idea or feedback about Azure, you can submit them from here .

Answer 2

I believe that you could get an example on how to set additional claims (Role claims for instance) by reading the How to run the sample as a single-tenant app part of the Authorization in a web app using Azure AD application roles & role claims Azure-AD sample. This requires editing the Azure-AD application manifest to add application roles. Then assign different roles to different users in the directory