I've set up a Registered App for OIDC and configured it for various usages on Azure AD.
The application I integrate with uses preferred_username in the ID Token for various things. Azure AD assigns username#company.com, a.k.a. UPN to this field. I'd like it to assign username which could be the good old SamAccountName or UPN transformed in some way.
Is there any way to do this?
This seems to be possible for SAML (NameId is kind of equivalent to preferred_hostname on OIDC the way I see it) but I couldn't find anything relevant for OIDC. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#editing-nameid
I've tried changing manifest file in the app with some educated guess but did not managed to accomplish this. I could not find anything related in manifest documentation.
The ID token is the core extension that OpenID Connect makes to OAuth 2.0. ID tokens are issued by the authorization server and contain claims that carry information about the user.
OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application
These are list of claim for ID token you can configure before generating a token
AzureAD-ADApplication->Token Configuration-> Add an optional claim.
There you can able see list of claim including UPN as well.
Claim for samaAccount only under group claim.
Related
We have a B2C setup using custom policies that authenticates against Apple Id as an external identity provider. This all works, and we are able to get the email claim. However, the first name/last name fields from Apple are not made available in the JWT token and therefore are not in B2C as claims.
They are, however, presented to B2C as a posted form parm called 'user' during the first-time authentication. This is obviously a non-standard way of using the OpenId Connect protocol.
Does B2C have a way of extracting form posted fields (or is it on the roadmap)? I see it is possible to get query string parms via a claims provider when using the OAuth protocol, but I don't see the same for OpenId and posted form parms.
The OpenID Connect technical profile maps claims from the ID token which means that additional authorization response parameters can't be referenced.
I got the workaround to work to add claims to the token using a custom REST API, however I realized this is the Id token and not the Access token. I need the custom claims to be the Access token to use for authorization in the service.
I haven't inspected the Access token yet but are these claims also inserted into the Access token?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw
Yes, custom claims come back when requesting access tokens. The only difference in the list of claims is the scp claim. The scp claim is only returned on access tokens.
Unfortunately, the Claims in ID and access tokens documentation doesn't discuss this.
You can quickly verify this via the Run Now feature in the Azure Portal. See this SO answer.
Sample access token w/ a custom claim
I am using custom claims in my Azure Active Directory B2C tenant where I registered two applications (UI and API). The UI passes the access_token to the API and I am able to retrieve the custom claims there. I guess this should be also true for custom claims using a custom REST API.
If not, It must be possible to setup:
... The return claims can be stored in the user's Azure AD account,
evaluated in the next Orchestration Steps, or included in the access
token
If your question is "Can I get the user's access token from the federating IdP such as Azure AD, facebook etc"? The answer currently is no. You can vote for this feature here.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334347-return-social-idp-s-native-access-tokens-back-to-t
I'm currently trying to authorize my api depending on the user group. After enabling the group claim in Azure Active Directory I have realized that the groups claim is not including in the access_token but the id_token.
I'm trying to avoid makings requests to the graph api and I've seen something about azure active directory claims mapping (https://learn.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping)
But due to the lack of information and examples I'm not sure of how to deal with this.
Any suggestions on how to get the extra claims into the access token?
You can get group ids in access tokens too.
But the API app manifest must have:
{
"groupMembershipClaims": "SecurityGroup"
}
Note that this must be in the APIs manifest, not the client app's manifest.
In AAD, when you create an SSO application, you can create custom claims where you can customize the SAML response from AAD to the target application.
See this for more information.
I have a question about the tokens regarding Azure AD and multi-factor authentication (MFA).
So I have managed to look into what happens with tokens when they are sent for a user with and without MFA enabled.
What I observed is that in the payload of the token there is an extra claim in the: "amr": [] tag. By default there is a 'pwd' in that object, but with MFA there is also a claim called 'mfa'.
So now I know that somehow the token gets modified depending on the enabled options.
Is there some other claim or mechanism to obtain a specific ID for the device that the token was issued to. A device ID that potentially relates to its regustration through "Workplace Join" in Azure AD or through the Microsoft Authenticator App?
Is there a separate token being sent related to the Application Pass that is continuously talked about in the forums and documentation?
--------------------------Update---------------------------------
Ok so reading the application password, it's basically used as another form of authenticating the multi-factor authentication. And I guess it gets stored both on Azure AD and also on the phone somewhere inside the Authentication app.
So another question, is it possible to access this password from code?
There is no such claim about the device information in the id_token issued by Azure AD. You can refer all the claims in id_token from links below:
Azure AD token reference
Azure Active Directory v2.0 tokens reference
is it possible to access this password someone from code?
As far as I know, there is no such API like Azure Graph REST we can retrieve the password. And if you any suggestion about MFA, you can submit them from link here.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.