在调用自定义声明 REST API 时包括 Azure AD B2C aud 声明

Question

TL;DR: {OIDC:ClientId} is always the calling Application. I also need to know the "audience" application. Is there a claim resolver for this?

In more detail:

Here's the problem:

1. Application A and Application B are both registered in the same Azure AD B2C tenant.
2. A separate REST API (we'll call it "claims API") feeds custom claims into Azure AD B2C tokens. These claims must vary dependent on the application that consumes the token.
3. I use the {OIDC:ClientId} claims resolver to send the clientId of the requesting application to the claims API, like in this answer .
4. When Application A requests an access token for Application B, the Claims API receives the client ID for application A. However, I need to load claims for Application B, since that's the application that will actually consume the token. So the question is, how can I get the clientID for the target application as well as the requesting application?

I have considered using the {OIDC:scopes} claim resolver to solve this issue. That might work, but it seems a little like a hack. Are there any better options?

Answer 1

Per this document , it appears that {OIDC:scopes} is the only available option for this. And with some further thought, that makes sense, since some scopes might be requested that are outside the current tenant (Microsoft Graph API, for instance). In that case, it would not be possible to supply a clientId for the target application.

{OIDC:scopes} is a single string with all of the requested scopes separated by spaces. To detect when an access token is being generated for a different application than the current one, a simple string search on the scopes field is sufficient. If the App ID URI of an application is present in the scopes string, an access token is being requested for that application.