Share via

I'd like to map custom claim values from a client_assertion supplied to Entra into the resulting access token granted by Entra

Tsypanov, Sergey (DXC Luxoft) 0 Reputation points
2024-10-14T12:08:21.5666667+00:00

Hello, in our application we have server-to-server communication secured with AT received from Entra.

Here's how we get the token:

POST https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

grant_type=client_credentials
&client_id=client-id
&client_assertion=lots-of-chars-here
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&scope=api://client-id/.default

In client_assertion we have a custom claim named xyz with the dynamic value, what we need is to have this custom claim xyz in the access token returned by Entra with the value supplied within the client_assertion. The documentation we've followed suggests we need to write an Azure function to handle this mapping. However, it's not clear how to access the attributes of the client_assertion or whether this is actually the correct approach.

I'd appreciate any piece of advice. Thanks!

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-10-17T23:27:10.6766667+00:00

    Hi @Tsypanov, Sergey (DXC Luxoft) , it looks like your links didn't save properly in case you wanted to repost them.

    You can configure a custom claims provider for a token issuance event. This involves registering a custom authentication extension and adding attributes that you expect it to parse from your REST API.

    To allow tokens to be augmented, you must explicitly enable the application registration to accept mapped claims. In your application registration, under Manage, select Manifest. In the manifest, locate the acceptMappedClaims attribute, and set the value to true. Also, set the accessTokenAcceptedVersion to 2

    You can use an Azure Function to handle the mapping of custom claims. The Azure Function will parse the client_assertion and extract the custom claim xyz, then include it in the access token.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.