将自定义声明从 Angular 应用程序传递到 dotnet core web api

Question

I have a working Angular 9 app which calls a Dotnet core 3.1 web api backend to return data. I secure it using the @angular/msal MSAL library which authenticate the AzureAD user on the angular app then sends the AzureADBearer token to the API to access the endpoints. On angular app, we have an employeeID which we get using Microsoft Graph. We wanted to pass this in to the web api in order to use it in some of the controllers. I am able to get the claims of the authenticate user from the api by accessing the HttpContextAccessor, i see username, email, sid... etc. my question is, is there anyway to pass in that employeeID so that I can get it in the claims? I'm not sure if that's even possible. AzureAD allows optional additional claims to be added in their configuration but employeeID was not on the list. I have 2 workarounds that are not ideal and I would prefer not to do if possible.

1. passing the employeeID in the controller to the endpoints then accessing it. this adds a lot of extract parts to our routes.
2. use a mapping table in our database that maps username to an email id so that we can use the claims to get the username then lookup the employeeID. problem is sometimes a user changes their username that and we would have to maintain this mapping table somehow. the sid also can change because a user can go on vacation, their access to Azure is deleted. once that user comes back, a new account is created with new sid. The employeeID is the only identifier that won't change.

Answer 1

you can use the claims mapping feature, as per here https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

this can allow you to emit claims that aren't in the default claims or optional claims.