Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
754 views
in Technique[技术] by (71.8m points)

active directory - How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?

I have created a Azure AD web application. Now I am getting my access_token using following API,

POST https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/v2.0/token

password:pass 
client_id:id
resource:https://graph.microsoft.com 
grant_type:password 
client_secret:secret 
sername:userName 
scope: https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXX/.default

The response looks like,

"token_type": "Bearer",
    "scope": "https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/myTestRole https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXXX/user_impersonation https://rbsessence.onmicrosoft.com/0a7c94a0-0c4e-4f95-ba06-XXXXX/.default",
    "expires_in": 3599,
    "ext_expires_in": 3599, "access_token": "acessToken"

Now I am passing the access_token to a third party application which is configured with the same Azure AD client. Now that third party is expecting a custom claim by the name "policy":"readwrite", to be passed as part of access_token. How can I achieve the same?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Please refer to the following steps (You can do the Microsoft Graph operation in Microsoft Graph Explorer for saving time.):

Create an extensionProperty (you could use a new created Azure AD application here):

Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties

{"name":"policy","dataType":"string","targetObjects":["User"]}

It will generate an extension property named extension_{client id of the Azure AD application}_policy.

Secondly, you can update the extension property for your account:

Patch https://graph.microsoft.com/v1.0/me

{"extension_6d8190fbf1fe4bc38a5a145520221989_policy":"readwrite"}

Then create a claimsMappingPolicy:

Post https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies

{"definition":["{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ExtensionID":"extension_6d8190fbf1fe4bc38a5a145520221989_policy","JwtClaimType":"policy"}]}}"],"displayName":"ExtraClaimsAllen1Example","isOrganizationDefault":true}

Assign the claimsMappingPolicy to a servicePrincipal. Please Note that the servicePrincipal here is the enterprise application which represents your third party application. In your case it is 0a7c94a0-0c4e-4f95-ba06-XXXX.

Post https://graph.microsoft.com/v1.0/servicePrincipals/{obeject id of the servicePrincipal which represents your third party application}/claimsMappingPolicies/$ref

{"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{policy id from the previous step}"}

You could find the servicePrincipal from Azure Portal -> Azure Active Directory -> App registrations -> find your third party Azure AD app -> Overview -> click on the name of its associated service principal.

enter image description here

enter image description here

Now go back to the manifest file of the third party Azure AD app. Set acceptMappedClaims to true and accessTokenAcceptedVersion to 2.

enter image description here

Then when we request an access token for the third party application with ROPC grant flow, we can get the custom claim.

enter image description here


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...