Missing role claims in JWT Token issued by AAD

Question

I am using Micrsoft Graph APIs to programatically register a client app, resource server and assign role from the resource server to the client app. Here are the steps followed:

1. Get Access Token --> https://login.windows.net/<Tenant_Id>/oauth2/token/?api-version=1.6

2. Client App Registration --> https://graph.windows.net/<Tenant_Id>/applications/?api-version=1.6

3. Client Service Principal

4. Resource Server Registration with below app role in manifest:

"appRoles": [
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "description": "Description of Role - Resource_API_11092017",
    "displayName": "Role_Resource_API_11092017",
    "id": "5ff0033d-fa87-4a77-9b3d-b4b201dfc32e",
    "isEnabled": true,
    "value": "Read_Only_Resource_API_11092017"
  }
],

5. Resource Server Service Principal creation

6. Assigning Role to client App.

When i am trying to get the access token using the credentials of the client app, I am not getting any roles in the JWT nor any information of the resource server.

I even Grant Permission from the portal in the client app to the role of the resource server. But still no luck.

Any help will be appreciated. Let me know if you need more details.

Thanks.

@Update on 11/14/2017:

Please find the Payload of the JWT.

{
  "aud": "https://xxxxx.onmicrosoft.com/Resource_API_11092017",
  "iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
  "iat": 1510679930,
  "nbf": 1510679930,
  "exp": 1510683830,
  "aio": "Y2NgYLipff1Ghn65atEd97grbjxxxx==",
  "appid": "3ec8690d-xxxx-xxxx-xxxx-739709a758cc",
  "appidacr": "1",
  "idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6/",
  "tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bd0e22a6",
  "ver": "1.0"
}

The service principal does not contain any Role in it. But I have assigned the Role_Assigned_API_11092017 as Application Permissions using portal. This Role_Assigned_API_11092017 is defined as Role in the resource app Resource_API_11092017.

Permissions are granted from the Resource_API_11092017 through Portal.

Answer 1

I was able to get role claims in the token. Here are the steps you need to follow if you want your client app to have roles defined in the resource app.

1. Create client App.
2. Create service principal of the client app.
3. Create resource app with roles defined as:

"appRoles": [{
    "allowedMemberTypes": [
      "Application"
    ],

4. Create service principal for the resource app.
5. Patch the client app and resource app with the roles defined in the resource app. - Allow Roles in the Required Permission section of the client app
6. Grant permission on the client app logging through your admin account from azure portal ` Apart from step 6, everything can done using Microsoft Graph API using access token of an app which is having adequate permissions to register app in your directory.

If anyone is having corresponding API for Grant Permission action from the client app. Please let me know. For now we are taking this a manual step.
Thanks.

{
  "aud": "https://xxxxxxx.onmicrosoft.com/resource_app_11202017",
  "iss": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
  "iat": 1511209576,
  "nbf": 1511209576,
  "exp": 1511213476,
  "aio": "Y2xxxxBlVE3nxxxxHtx3xSxxxxLAQ==",
  "appid": "dffe69ef-xxxx-xxxx-xxxx-3550bxxxxbd7",
  "appidacr": "1",
  "idp": "https://sts.windows.net/caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6/",
  "oid": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
  "roles": [
    "readonly_role_resource_app_11202017",
    "writeonly_role_resource_app_11202017"
  ],
  "sub": "f2af0608-xxxx-xxxx-xxxx-a5acacxxxx8d",
  "tid": "caa4bd37-xxxx-xxxx-xxxx-bba4bdxxxxa6",
  "uti": "VW6inKHUI0SgkuNMi6AcAA",
  "ver": "1.0"
}