Adding Claims in Azure AD v2 id

Adding Claims in Azure AD v2 id_token

Q

How to include additional claims in Azure AD v2.0 id_tokens?

✍: FYIcenter.com

A

If you want to include additional claims in Azure AD v2.0 id_tokens, you need to modify your application registration in Azure AD.

1. Log in the Azure portal.

2. Select the Azure Active Directory service, and then select App registrations or App registrations (Preview).

3. Select the app you want to configure.

4. From the app's Overview page, select the Manifest section. A web-based manifest editor opens, allowing you to edit the manifest within the portal.

5. Find the "optionalClaims" root level property. Or add it if not exists. The structure of the "optionalClaims" property is like the following example of including "email" claim in the id_token claim:

...
  "oauth2RequirePostResponse": false,
  "optionalClaims": {
    "idToken": [
      {
        "name": "email",
        "source": null,
        "essential": false,
        "additionalProperties": []
      }
    ],
    "accessToken": [],
    "saml2Token": []
  },
    "orgRestrictions": [],
...

You can add any of the following optional claims:

ipaddr                    Client IP Address
onprem_sid                On-Premises Security Identifier                  
pwd_exp                   Password Expiration Time
pwd_url                   Change Password URL     
in_corp                   Inside Corporate Network
nickname                  User Nickname   
family_name               User Last Name  
given_name                User First name 
auth_time                 Time of last authentication
tenant_region_scope       Region of the resource tenant
home_oid                  Object ID of the user in home tenant.
sid                       Session ID
platf                     Device platform
email                     User's email address
verified_primary_email    User's first verified email address
verified_secondary_email  User's second verified email address
enfpolids                 Enforced policy IDs
vnet                      VNET specifier information.
fwd                       Forward IP address
ctry                      User's country 
tenant_ctry               Resource tenant's country
xms_pdl                   Preferred data location
xms_tpl                   Tenant preferred language
ztdid                     Zero-touch Deployment ID
acct                      Users account status in tenant
upn                       UserPrincipalName claim

⇒ Validate Azure AD v2 id_token

⇐ Azure AD v2 id_token Is Smaller

⇑ Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-03-27, ∼7430🔥, 0💬

Adding Claims in Azure AD v2 id_token
How to include additional claims in Azure AD v2.0 id_tokens? If you want to include additional claims in Azure AD v2.0 id_tokens, you need to modify your application registration in Azure AD. 1. Log in the Azure portal. 2. Select the Azure Active Directory service, and then select App registrations ... 2019-03-27, ∼7431🔥, 0💬

Validate Azure AD v2 id_token Signature
How to validate the id_token signature received from Azure AD v2.0 authentication response? You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article" .... 2023-09-06, ∼4164🔥, 1💬

💬 2023-09-06 rjurado01: You safe my life.

Azure AD v2 id_token Decoded Example
Where to find an Azure AD v2.0 id_token decoded example? Here is an example of an "id_token" value returned from Azure AD v2.0 after Base64URL decoded: Header = { "typ": "JWT", "alg": "RS256", "kid": "1LTMzakihiRla_8z2BEJVXeWMqo" } Body = { "ver": "2.0", "iss": "https://login.microsoftonline .com/918... 2019-04-03, ∼2889🔥, 0💬

Validate Azure AD v2 id_token
How to validate the id_token value received from Azure AD v2.0 authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script. After decoding, you can get all information about t... 2019-03-27, ∼2712🔥, 0💬

Build Implicit Flow with Azure AD v2
How to implement the OpenID Implicit Flow with Azure AD v2.0 service? If you want to implement the OpenID Implicit Flow in your Web application to use Azure AD service, you should follow these steps: 1. Building the Azure AD v2.0 Sign-on authentication request: Register your Web application to the A... 2019-04-03, ∼2472🔥, 0💬

Decode Azure AD v2 id_token
How to decode the id_token value received from Azure AD v2.0 authentication response? According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below: Splitting the encoded string into 3 components: Header, B... 2019-04-03, ∼2123🔥, 0💬

Azure AD v2 Access Token Request
What is the Azure AD v2.0 Access Token Request? If you want to implement the authentication code flow to integrate your application with Azure AD v2.0, you need to have a good understanding of the Azure AD v2.0 access token request, which is the second call you have to make in the authentication cod... 2019-03-27, ∼2107🔥, 0💬

Azure AD v2 id_token Is Smaller
Where Azure AD v2.0 id_token is smaller than v1.0? Azure AD v2.0 id_token is smaller than v1.0, because the number of default claims (properties) are reduced in Azure AD v2.0 id_tokens as shown in the table below: Azure AD v2.0 Azure AD v1.0 ver=2.0 ver=1.0 rh iss iss sub sub aud aud exp exp iat iat... 2019-04-03, ∼1766🔥, 0💬

Initiate Azure AD v2 Access Token Request
How to initiate Azure AD v2.0 Access Token Request? The Azure AD v2.0 Access Token Request should be initiated from your application Web server. This is why the authentication code flow is more secure than the implicit flow, because the "id_token" value will be received by Web server directly from t... 2019-03-27, ∼1762🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.