Dynamic scope / claims for OAuth2 / OIDC flows using EntraID

Question

Dynamic scope / claims for OAuth2 / OIDC flows using EntraID

Harsh Thakker 0

Hi,

I'm working on an application, that needs to access an API on behalf of its users.

For this, I'm looking to implement an OAuth2 / OIDC flow, for the application to:

Get a Consent from users every time it performs an operation using the API &
Have an Access Tokens issued, to be able to access the API to perform these operations

Standard OAuth / OIDC flows have static scopes - however, I need the scopes to be dynamic, based on the actual operation being performed by the application against the API.

For example - if the application is changing a FileName from "A.txt" to "B.txt", I want:

EntraID to display this specific "change FileName A.txt to B.txt" operation to Users on the Consent Screen, to review & approve and
Include this operation as a claim within the Access Token issued to the application

I have found an extension of OAuth2 called "OAuth2 with Rich Authorization Requests" that enables this type of dynamic & fine-grained authorization. Is this flow supported by EntraID?

If not, can this be achieved using "openid" as the scope & using the "claims" parameter for the dynamic operations to be consented by the users?

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-10-24T03:56:06.57+00:00

Hi @Harsh Thakker

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-10-30T10:06:20.6233333+00:00

Hi @Harsh Thakker

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.

1 answer

Your answer

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-10-24T03:56:06.57+00:00

Hi @Harsh Thakker

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-10-30T10:06:20.6233333+00:00

Hi @Harsh Thakker

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.

Answer 1

Gudivada Adi Navya Sri 21,095 Moderator

Hi @Harsh Thakker

Thank you for posting this in Microsoft Q&A.

I understand you are looking to implement a dynamic OAuth2/OpenID Connect (OIDC) flow for your application that requires user consent for specific operations each time an API call is made. This involves displaying specific operations on the consent screen and including them as claims in the issued access token.

Unfortunately, OAuth2 with Rich Authorization Requests flow is not supported in Microsoft Entra ID.

I would request you to please share the feedback on our feedback channel https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789 Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

can this be achieved using "openid" as the scope & using the "claims" parameter for the dynamic operations to be consented by the users.

No, you cannot achieve this using the OpenID scope. The OpenID scope operates based on the permissions specified in the application within Entra ID.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Harsh Thakker 0 Reputation points

2024-10-25T15:18:08.5733333+00:00
Hi Navya,

Thanks for your prompt response.

And apologies for the late reply - I was in the process of thinking through other alternatives / workarounds that might work based on the information you've provided above i.e.

EntraID doesn't support OAuth2.0 w/ RAR and

Custom Claims in OIDC AuthZ Requests cannot be arbitrary & must be pre-registered in the EntraID App / API Config

Based on this, I have a couple of follow-ups questions if you don't mind:

If I register a custom OIDC Claim, can its value be configured to be dynamic / parameterized? E.g. from my original post, this would be something like - Claim_Name="changeFileName" and Claim_Value=<some_regex> or just *

Then, when an Authorization Request comes in with "openid" as the scope & some JSON in the Claims parameter e.g. {"changeFileName": "A.txt-B.txt"} - EntraID would automatically treat this as a known Claim (with a dynamic value, retrieved from the incoming request) - that needs to be consented to by the User & included in the issued Access Token.

Is that possible?

I came across this approach in Authlete documentation here(for parameterized scopes however - not claims).

If above isn't supported, the second question would be:

Can I write a custom Authorization routine that EntraID offloads to, to process incoming Authorization Requests?

I can then handle custom & dynamic claims using my own code - to parse the request, dynamically render a Consent Screen & add claims into the Access Token.

If neither of the above is possible, is there any mechanism within EntraID that can help achieve this use case / requirement?

Regards,
Harsh
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-10-28T09:17:56.4166667+00:00

Hi @Harsh Thakker
Thank you for following up on this!

Regarding your first question, EntraID supports custom claims in OIDC authorization requests, but the values of these claims must be pre-registered in the EntraID app/API configuration. It is not possible to configure a custom OIDC claim to have a dynamic or parameterized value, as the values of these claims must be known and registered in advance.

Regarding your second question, EntraID does not currently support custom authorization routines that can be offloaded to process incoming authorization requests.

Hope this helps. Do let us know if you any further queries.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Dynamic scope / claims for OAuth2 / OIDC flows using EntraID

1 answer

Your answer