3

Does anyone know what's the purpose of the optionalClaims field within the manifest file of a registered app on Azure?

To give some background, I'm trying to explore some options to add "custom-claims-like" claims to OAuth2 tokens generated by Azure AD. I know from this SO post and this SO post, that Azure currently doesn't offer it. From this Microsoft doc, it states that the optionalClaims field is

The optional claims returned in the token by the security token service for this specific app.

What's the security token service and how can I set it up? Is this for implicit flows only? Can I put a nonce value in this access token (and not the ID token since I don't want to use OpenID connect)?

Please let me know, thanks.

Brendan Green
  • 11,676
  • 5
  • 44
  • 76
rj2700
  • 1,770
  • 6
  • 28
  • 55

1 Answers1

1

In order to understand this, you (obviously) first need to understand what a Security Token Service is. This SO question/answer may help you a bit. This resource too.

Then something around Converged Endpoint and Converged Apps.

At the end of the day, to understand that the user may be authenticated outside Azure AD (for example Microsoft Account, formerly known as Live ID).

So, if the use has authenticated through external IdP (Identity Provider) and respective STS (Security Token Service), and if this external STS happens to deliver additional/optional claims, these additional claims would be included in the optionalClaims claim, issued by the Azure AD STS. A claim thought with vision for future implementation/federation scenarios.

Currently you cannot configure external STS, but you can configure your application in the Converged Endpoint.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • Ah, I think I'm starting to understand this. So to summarize: the optionalClaims field in the manifest on Azure is to accommodate extra claims that external IdP tokens provide. Is that about right? – rj2700 Jan 25 '18 at 20:44