locked
Access Token missing Optional Claims that are Schema Extensions - Implicit Grant Flow RRS feed

  • Question

  • We are trying to get a Schema Extension on a User object to appear in an Access Token acquired using the Implicit Grant Flow but have been unsuccessful.

    We've successfully created the schema extension and updated a user to provide a value for that schema extension.

    We've created an App Registration, and configured the Implicit Grant to incldue both Access Tokens and ID Tokens.  And the Supported Account Types are "Accounts in any organization".

    The App Registration's Manifest has been updated to include the configuration of two optional claims per token.  We used the "UPN" and our schema extension.
    The "UPN" appears in both the ID Token and the Access Token.
    However, the schema extension only appears in the ID Token and NOT in the Access Token.

    We know that user's schema extension value has been successfully set based on Graph API queries and by the fact it appears in the ID Token.  But is does not appear in the Access Token.

    We have seen that acquiring a token via the Resource Owner Grant Flow results in the extension property appearing in the the access token in that flow.
    However, when using the Implicit Grant Flow the schema extension is not included in the access token.

    Here is the documentation referenced:

    Creating the Schema Extension:
    Used both of these methods for creating a Schema Extension.  First one uses the Azure AD Graph API and the second uses the MS Graph API.  Both successfully provide the ability to add properties to the User object.  But it does not matter which is used because niether one ends up in the access token when using the Implicit Grant Flow.

    Directory schema extensions | Graph API concepts
    https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

    Add custom data to groups using schema extensions
    https://docs.microsoft.com/en-us/graph/extensibility-schema-groups

    Followed this for providing the optional claims...
    How to: Provide optional claims to your Azure AD app
    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    Used this quickstart app to test login and acquisition of tokens...
    Quickstart: Sign in users and acquire an access token from a JavaScript single-page application (SPA)
    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript#option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

    Question:

    What additional configuration is necessary to successfully include a schema extension of a user object within an Access Token via the Implicit Grant Flow?

    Thursday, April 18, 2019 9:28 AM

All replies

  • As per my understanding, it seems you have added the schema extension claim in the manifest of the client app and thus you are getting it in the id token.  If you want to have the claim in access token then you need to modify the manifest of the resource app. In your scenario - 

    If you have an Application A which needs access to a Web API B and you want the claims in the access_token then you need to modify the manifest of B.
    Monday, April 22, 2019 10:27 PM
  • Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.
    Monday, May 13, 2019 8:05 PM
  • Hi, is this resolved, I struck with same situation, Please confirm
    Thursday, July 4, 2019 2:35 PM
  • Hi Sivaram, 

    The schema extension process seems to be addressed, but the issue is with the access token not having the proper claims.

    Please refer to this thread for more information on how the custom claims mapping policy and optional claims mapping. 

    https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD

    If this answers your question please remember to mark it as answered, other wise please let us know if there are anymore questions within the scope of this thread, 

    • Proposed as answer by Frank Hu MSFT Friday, July 5, 2019 8:53 PM
    Friday, July 5, 2019 8:52 PM
  • I'm following up on this again, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

    Thanks!

    Monday, July 8, 2019 5:14 PM