Use extension attributes inside token generated for application

asosinski 5 Reputation points
2023-09-22T11:42:43.04+00:00

Hi,

In a service-to-service scenario, I want to generate a token for App1, to be able to access App2, but within the token, I need to have a custom claim defined. Both applications are registered within the same Azure B2C.

I have gone through the documentation related to extension attributes and specifically to directory extension attributes. It is mentioned in the table that for directory extension target type can be set to application, which makes me assume I can potentially define an extension attribute with value on the application. But, I want to later have that value as one of the claims for an access token generated using Client Credentials which are application ClientId and Secret.

There is documentation on how to have such a claim when it is a User (not an application), that is, requesting a token but, was not able, to find specific instructions for my case. Can you provide me with some links or code snippets on how to achieve it?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,560 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,526 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Fabio Andrade 1,665 Reputation points Microsoft Employee
    2023-10-05T17:13:45.62+00:00

    Hi @asosinski

    Based on the documentation, you can request an access token to B2C using a SP the same way as you do against an Entra ID tenant.

    Since we clarified that, could you please confirm if the application in scope is the one that you changed the manifest to add the custom claim? I'm sharing a request example below:

    grant_type=authorization_code

    &client_id=<application-ID>

    &scope=<application-ID-URI>/<scope-name> -> This should be the application ID URI from the resource application

    &code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...

    &redirect_uri=https://jwt.ms

    &client_secret=2hMG2-_:y12n10vwH...

    Also, the documentation states that you need to set both acceptMappedClaims and allowPublicClient attributes to True on the resource application manifest, could you please confirm that?

    Would it be possible for you to send me the manifest hiding any potential confidential information? It could be a screenshot only.

    Thanks,

    Fabio

    1 person found this answer helpful.

  2. Fabio Andrade 1,665 Reputation points Microsoft Employee
    2023-10-16T22:07:02.6866667+00:00

    Hi @asosinski

    Yes, you will be using the B2C tenant since its Tenant ID is the one present in the login URL, this is a complete separate tenant from the Entra ID one.

    To customize the claims on an EntraID tenant is basically the same process as with the B2C one, but the main change is that there will be no user flow policies in place for each sign in as this type of tenant is more focused for consumer sign in. the document below has more information about customizing JWT, ID and Access tokens: https://learn.microsoft.com/en-us/azure/active-directory/develop/jwt-claims-customization

    If it does not work either, I'd suggest you to open a support ticket with our B2C team. If you do not have that option available to you, let me know as we can work on another way for you to open it.

    Thanks,

    Fabio


  3. Fabio Andrade 1,665 Reputation points Microsoft Employee
    2023-10-26T20:41:48.64+00:00

    Hi @asosinski

    I just wanted to check if you want me to help you with opening a support case with Microsoft for your B2C query.

    Thanks,

    Fabio


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.