Share via

How to setup Custom Auth Extension with a local REST API via Token Issuance Event

Aleks S 50 Reputation points
2023-08-29T15:56:03.32+00:00

We understand that Entra is in Preview and so is the Custom Authentication Extension (CAE) capability but how can we use CAE to add custom claims in the token using a local REST API.

We have a SPA registered app in Entra works well with MSAL. Upon signing we would like to fetch a few user attributes from the on premise SQL database e.g. userId, userStatus,etc and attach that to the token for our Web API(s) to use. However, the example is with an Azure Function - what we will need to do is create an Extension a local REST API to debug it, as we will also structure our Apps per environment in each tenant and should have CAEs that match our apps, e.g.:

  • SPA 1 (Localhost)
  • SPA 1 (QA)
    ...
  • API 1 (Localhost)
  • API 1 (QA)
    ...
  • CAE for SPA 1 Localhost
  • CAE for SPA 1 QA

There is not enough guidance or documentation on using Entra External ID as far as real world strategies. Can you give us guidance or any information since on paper it seems straightforward: "When a user authenticates to an application, a custom claims provider can be used to add claims into the token. A custom claims provider is made up of a custom authentication extension that calls an external REST API, to fetch claims from external systems."

NOTE: Admittedly, we don't know how to get this working with Azure Functions. So if you can point us in the right direction or provide some samples.

PS:
I've tried setting up a local sample API both in IIS Express and Local IIS and returns this error (seemingly expecting that the API is already published in a public domain as in the example with Azure Function):

Error in creating custom extension Token Issuance Event: IncorrectResourceIdFormat:ResourceId should be in the format of '{api|https}://{fully qualified domain name}/{app guid}'

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Other
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-08-31T08:19:50.4066667+00:00

    Hi @Aleks S ,

    Thanks for reaching out.

    It sounds like you want to use Custom Authentication Extensions (CAE) to add custom claims to the token using a local REST API.

    To get started, you'll need to create a custom claims provider with the token issuance start event type. This event is triggered right before the token is issued and allows you to call a REST API to add claims to the token**.** You can follow the steps in the documentation to create the custom claims provider, but instead of using an Azure Function, you'll use your local REST API.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-extension-get-started?tabs=entra-admin-center%2Chttp#step-2-register-a-custom-authentication-extension

    Regarding your question about Entra External ID, it is a product that allows you to verify the identity of users using a third-party identity provider. While it is not directly related to Custom Authentication Extensions, you can certainly use both products together to provide a more comprehensive identity verification solution.

    As for the error you're seeing when trying to create a custom extension token issuance event, it looks like the resource ID you're using is not in the correct format. The resource ID should be in the format of 'api://testxxxxxextension.azurewebsites.net/0ea0d427-xxx-4xxxf-8xxx-xxxxxxxxx'

    .Make sure you're using the correct format for your resource ID.User's image

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.