Menu
For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend.
So I can get both, the id_token and the access_token, with a request to this url:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE
This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.
When I use this Url to only get an id_token, the role claims are included:
https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE
The difference is I request only the id_token and not the token and I leave out the resource parameter.
My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?
edit: This is how the approles are defined in the app's manifest:
{
"appId": "MY_CLIENT_ID",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "c200e304-fff3-49f1-a4df-e406741ea690",
"isEnabled": true,
"description": "Bla bla",
"value": "admin"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Reader",
"id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
"isEnabled": true,
"description": "Bla bla",
"value": "reader"
}
],
"availableToOtherTenants": false,
...
}
203
5 Azure AD v2 roles not included in Access Token 1 Cannot see role claims in access token when contacting my ASP.NET Core 3.1 API from browser app Related 1 Azure AD with Angular 4
At sign-in time, Azure AD determines what application roles are assigned to the user, and includes a roles claim in the token. Applications can inspect the token and use the roles claim to authorize the user.
When a user signs in to the application, Azure AD emits a roles claim for each role that the user or service principal has been granted individually to the user and from their group membership. This can be used to implement claim-based authorization.
AFAIK, this kind of rolesclaim will not issue into access_token. The rolesonly issued issued in the access token when we request the access token using the client credentials flowwhich contains the permission which require admin consent. – Fei Xue - MSFT Aug 31 '17 at 9:25 The client-credentials flow is not user specific, as far as I can see.
I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.
As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
