0

Hello, I have two app registrations on Azure Active Directory, app A and app B and I'm trying to authenticate the requests from app A to app B in .NET Core 3.0. I am using the credential flow mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.

Since I have many clients that need to access app B, I only want to use app A instead of creating as many app registrations as the number of clients and introduce a custom value in the JWT token used for authorizing each request.

After some investigation, I've seen that there is the possibility to add custom claims to the JWT token used by one app registration to another, creating an extension to the user object (Azure AD Custom Claims in JWT). However, I do not see how to add an extension to an app registration in the documentation https://learn.microsoft.com/en-us/graph/extensibility-overview

Is it possible to implement this scenario? If so, how am I able to pass the custom value as a custom claim when performing the request and configure the app B to allow this?
timescale
  • 11
  • 3

1 Answers1

0

It kind of sounds to me that you are trying to work around the intended design.

If client apps should have different rights, they should be registered as different apps with different permissions to the API. That way you are using the platform the way it was intended to be used, and it will work with you.

juunas
  • 54,244
  • 13
  • 113
  • 149