在使用 Azure AD 客户端凭据流生成的访问令牌中的 UPN 声明中添加自定义值

Question

We are using IdentityServer4 with Client Credential Grant Type but for one of consumer we tweaked Client Credential flow and introduced Delegation Grant Type and that's where we inject UPN claim in AccessToken as there will not be UPN claim in Access Token generated using Client Credential flow. Purpose of doing this is our upstrem apps authorize our API calls based on User.

Does Azure AD has any functionality where I can provide custom value of UPN claim for App and when that particular App is being used to generate access token using Client Credential flow, UPN claim with custom value will be available in Access Token?

Answer 1

I tried to reproduce the same in my environment using Client Credential:

In order to get UPN claim in access token, you need to add optional claim like below:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Token Configuration -> Add optional claims.

When I decoded the access token generated with client credentials grant type, UPN claim is not included.

Please note that, if you need UPN claim in the token, then you have to make use of Authorization code flow , ROPC flow , Implicit flow authentication flows to acquire token. Check this .

I generated access token via Authorization code flow like below:

When decoded the token, got UPN claim successfully: