none
Access Token missing Optional Claims that are Schema Extensions - Implicit Grant Flow RRS feed

  • Question

  • We are trying to get a Schema Extension on a User object to appear in an Access Token acquired using the Implicit Grant Flow but have been unsuccessful.

    We've successfully created the schema extension and updated a user to provide a value for that schema extension.

    We've created an App Registration, and configured the Implicit Grant to incldue both Access Tokens and ID Tokens.  And the Supported Account Types are "Accounts in any organization".

    The App Registration's Manifest has been updated to include the configuration of two optional claims per token.  We used the "UPN" and our schema extension.
    The "UPN" appears in both the ID Token and the Access Token.
    However, the schema extension only appears in the ID Token and NOT in the Access Token.

    We know that user's schema extension value has been successfully set based on Graph API queries and by the fact it appears in the ID Token.  But is does not appear in the Access Token.

    We have seen that acquiring a token via the Resource Owner Grant Flow results in the extension property appearing in the the access token in that flow.
    However, when using the Implicit Grant Flow the schema extension is not included in the access token.

    Here is the documentation referenced:

    Creating the Schema Extension:
    Used both of these methods for creating a Schema Extension.  First one uses the Azure AD Graph API and the second uses the MS Graph API.  Both successfully provide the ability to add properties to the User object.  But it does not matter which is used because niether one ends up in the access token when using the Implicit Grant Flow.

    Directory schema extensions | Graph API concepts
    https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

    Add custom data to groups using schema extensions
    https://docs.microsoft.com/en-us/graph/extensibility-schema-groups

    Followed this for providing the optional claims...
    How to: Provide optional claims to your Azure AD app
    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    Used this quickstart app to test login and acquisition of tokens...
    Quickstart: Sign in users and acquire an access token from a JavaScript single-page application (SPA)
    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript#option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

    Question:

    What additional configuration is necessary to successfully include a schema extension of a user object within an Access Token via the Implicit Grant Flow?

    Thursday, April 18, 2019 9:28 AM

All replies