This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
I have simple but annoying question.
I want couple of extra claims in the JWT token that is created by AAD for the app.
I have added two "optional claims" in the registered app in my tenant through portal.
Those are ctry and login_hint
ctry is properly coming in the id-token but login_hint is not at all part of the token.
As per doc, both claims are allowed for both versions of id-token. So no confusion about it.
I see both claims properly added in the manifest of the app.
Any idea why login_hint is not added in the token when I hit following
hello
Any update from MSFT around above query is appreciated.
Thanks.
Hi @testuser7 , sorry for the delay in response. Have you had the chance to review this thread?
"You need to configure the optional claims on the access token for the API, not the ID token."
Please let me know if this works for you. If not I can help you further!
If this answer helped you please mark it as "Verified" so other users can reference it.
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 61%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
@James Hamil I have the same problem and I verified that access token has the same claims (specifically login_hint) as ID token, still it doesn't help.
Agree with @Mark Kaplan
Besides, @James Hamil if you check my request URL, you will notice that I am not asking any scope that leads to access-token. It is just simple ID-TOKEN
https://login.microsoftonline.com/<tenand-id>/oauth2/v2.0/authorize?client_id=80e41c80-2d17-42c7-a172-059ca30afe9f
&response_type=id_token&scope=openid&rhedirect_uri=https://jwt.ms&nonce=27927924
Really unusual and interesting use-case.
Thanks.
Hi @James Hamil How is it looking ? Interesting. Isn't it ??
I am wondering how did I miss this last so many years working on AAD
Logically login-hint was always something that should come from the app.
The only usecase where AAD packs it in token is when 2 apps wants to do SSO seamlessly.
It can be passed between applications to help them silently SSO as well
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 60%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I am trying to use login_hint for promptless logout described here But the dev team says the optional claim is coming across as undefined.
Using Terraform provider below against the azure ad application defined in the module here is how I am configuring the login_hint. Should it be assigned to the access token?
azuread_application_optional_claims
id_token {
name = "login_hint"
source = "user"
essential = false
}