Add Custom Claim IClaimsTransformation to Azure ID Token and Share between two application

Question

Add Custom Claim IClaimsTransformation to Azure ID Token and Share between two application

TEJENDRA PRASAD PATEL 66

Hi Team,

I wanted some guidance on below scenario

I have an application URL as [https://example.com][1] that end user access it.

But internally, IIS has two separate .NET Core MVC application and will be accessed as below

I have registered application in Azure AD and provided reply URL as below

End user will access to https://example.com/mainlanding and mainlanding will create custom claims using IClaimsTransformation. - This is Working.

But, when user access subapp from menu of mainlanding application, i am not able to access custom claims which was created by mainlanding applicaiton.

Questions:

Is this possible to persist custom claim created by mainlanding and can be access by subapp ?
Do i need create custom claims in both application separately?
Or, i need to register application separately?

Please guide on this it would be helpful.

Thank you!
Tej

Answer 1

Alfredo Revilla (MSFT) 18,491 Microsoft Employee

Hello @TEJENDRA PRASAD PATEL and thanks for reaching out. You will find my answers below your questions:

Is this possible to persist custom claim created by mainlanding and can be access by subapp ?
As stated by @Bruce (SqlWork.com) , Azure ID token is usually serialized in the web app cookie and can be shared provided both web apps share the same Azure AD app registration, otherwise claim validation may fail. For more information take a look at Share authentication cookies among ASP.NET apps.
Do i need create custom claims in both application separately?
You can create a common lib that that handles such task and can be used by both web apps.
Or, i need to register application separately?
Since claims processing is done in the web apps, your best bet is to add the claims in each web app. Alterntivately you may add custom claims before token issuance. For more information take a look at Provide optional claims to your app and Customize claims emitted in tokens for a specific app in a tenant. In the latter scenario, many apps can share a single policy.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

TEJENDRA PRASAD PATEL 66

@Alfredo Revilla (MSFT)

I am trying to add custom claims in each app from database using API.

When I hard wired claims using the following code, the application worked fine.

public class RoleClaimTransformer : IClaimsTransformation  
{  
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)  
        {      
  
           }  
  
}

However, invoking var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes) to retrieve the role using the API results in the following error.

Microsoft.Identity.Web.TokenAcquisition: Information: [MsIdWeb] An error occured during token acquisition: No account or login hint was passed to the AcquireTokenSilent call.       
MSAL.NetCore.4.41.0.0.MsalUiRequiredException:   
	ErrorCode: user_null  
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.

Alfredo Revilla (MSFT) 18,491 Reputation points Microsoft Employee

2022-11-24T18:33:54.297+00:00

Hello @TEJENDRA PRASAD PATEL , error "An error occured during token acquisition: No account or login hint was passed to the AcquireTokenSilent call" is caused by the lack of a signed in account object. Are you sharing a cookie between both webapps?

TEJENDRA PRASAD PATEL 66

@Alfredo Revilla (MSFT) ,

No, Its single WEB APP invoking WEB APP to populate roles from Database.

I am able to access token now with scope to authorize WEB API.. I am passing Overloading parameter "principal"

await _tokenAcquisition.GetAccessTokenForUserAsync(new[]
{ "api://APIClientID/API.read.write" }, "ee4e1499-4a35-4b2e-ad47-5f3cf9de8666", null, principal);

  try  
                {  
  
                    var APIAccessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[]  
                    { "api://APIClientID/API.read.write" }, "ee4e1499-4a35-4b2e-ad47-5f3cf9de8666", null, principal);  
  
                    _httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {APIAccessToken}");  
                    _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));  
  
                    _logger.LogInformation($"ACCESS TOKEN - {commonAPIAccessToken}");  
                }  
                catch (Exception ex)  
                {  
                    _logger.LogError($"ACCESS TOKEN ERROR- {ex}");  
                }

Alfredo Revilla (MSFT) 18,491 Reputation points Microsoft Employee

2022-11-24T22:07:54.457+00:00

Hello @TEJENDRA PRASAD PATEL and thanks for sharing your solution. Passing the principal will provide the underlying MSAL with an account object effectively avoiding the previous error.
TEJENDRA PRASAD PATEL 66 Reputation points

2022-11-27T07:50:41.617+00:00

@Alfredo Revilla (MSFT) , thank you!

I need your guidance on what permission to use for API.

There are two delegated and application permission (https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview)

My API will never be accessed by User only web application can access so do i really need delegated permission ?

I was thinking to use application permission to access API as only webapp will be accessed by external user not API.

What is your opinion on this?

Thank you!
Regards,
Tej
Alfredo Revilla (MSFT) 18,491 Reputation points Microsoft Employee

2022-11-28T21:46:36.093+00:00

Hello @TEJENDRA PRASAD PATEL , delegated permissions are intended to be requested and used by users. If your web app or api is accesing another api using client credentials, it will request and obtain application permissions. These are requested as scopes and obtained as roles.
TEJENDRA PRASAD PATEL 66 Reputation points

2022-11-29T14:29:39.337+00:00

@Alfredo Revilla (MSFT) , thank you for detailing.

My scenario User access -> Web Application and Web Application calls APIs to access data..

So in my scenario its best to use application permission as web app access web api?

User will never access API directly it will be always app will access...

I was thinking in terms of Access Token as too many access token for each users...
Alfredo Revilla (MSFT) 18,491 Reputation points Microsoft Employee

2022-11-29T15:16:05.287+00:00

Hello @TEJENDRA PRASAD PATEL , yes webapp to weabpi can use application authentication and authorization. This a very common and solid pattern so you're good to go. Just keep in mind some permissions will be tenant wide so develop your code carefully to limit which ones can be enforced and over which resources.
TEJENDRA PRASAD PATEL 66 Reputation points

2022-11-29T16:37:52.33+00:00

@Alfredo Revilla (MSFT) thank you for your guidance..

I'll write secure code that limits access to only web apps and excludes all other resources.

I'm grateful. You have been a pillar of my work by offering advice in response to each query I raise.

I'll get in touch if I need any more advice.
Alfredo Revilla (MSFT) 18,491 Reputation points Microsoft Employee

2022-11-29T16:41:02.607+00:00

That's great to know. Thanks for sharing it. Please accept my answer and complete the quality survey so that others can find a solution.

Answer 2

Bruce (SqlWork.com) 35,641

with your setup there are three cookies

azure ad: has a login cookie. when the website redirect to azure ad, if a login cookie exists, then it just redirects back to the website with a token

website 1: when azure ad redirects to its reply url, it creates a new cookie (with the additional claims added)
website 2: when azure ad redirects to its reply url, it creates a new cookie (with the additional claims added)

note that both websites have their own cookies. you can configuration the cookie authentication to share the cookie between the sites. this will require setting a common path, and configuring DataProtection services to use a common encryption key

TEJENDRA PRASAD PATEL 66 Reputation points

2022-11-17T21:09:19.247+00:00

Hi @Bruce (SqlWork.com) ,

Thank you for your guidance.

But, which approach is best to implement in terms flexibility and security

Approach 1: (Current Proof of Concept)
Website 1 and 2 have been registered separately in Azure AD and .NET Core frame custom claims in both the application (Same Claims).

Approach 2:
Both Website register in single Azure Ad app and have reply url for respective website and frame custom claims in both the application (Same Claims).

Approach 3:
Either Approach 1 or 2 for app registration but use Data Protection service to use a common encryption key for sharing token between apps.

Please provide some guidance it would be helpful.

Thank you!
Bruce (SqlWork.com) 35,641 Reputation points

2022-11-29T17:51:45.333+00:00

our security dept likes #1 because they can better track login to individual applications.
TEJENDRA PRASAD PATEL 66 Reputation points

2022-11-29T21:48:16.813+00:00

@Bruce (SqlWork.com)

Thank you so much for the response.

Yes, I will go ahead with approach one in development separately handle each application.

Only thing I need to change from delegated to application permissions to get access token and make api secure..

Add Custom Claim IClaimsTransformation to Azure ID Token and Share between two application

1 additional answer

Activity