3

I have configured an OAuth2/openID server in Azure Active Directory that I am using to authenticate users for the purpose of accessing a third party application. The app will then open in a 'patient context' meaning some information about a patient will be displayed.

I need to be able to pass a PatientId from the point where I call the third party URL to where the ~/v2.0/token returns the JSON response. The third party requires that the PatientId be included as an element in the token response eg.:

{
    "access_token":"the access token...",
    "token_type":"bearer",
    "expires_in":"3600",
    "scope":"patient/patient.read",
    "id_token":"the user id token ....",
    "patient":"123456"
}

How can I persist this PatientId until it can be added to the token response? I cannot see any parameter in the ~/v2.0/token request that I can use to link the requested PatientId with the current authentication flow.

eric_the_animal
  • 432
  • 9
  • 19

1 Answers1

0
  • we can use optional claims in Azure AD applications to specify which claims we want in tokens sent to that application.

Please check If the patientId property can be created in the request by configuring directory extension optional claims to create extension property

Claims customization is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant. You can use claims-mapping policies to:

select which claims are included in tokens. create claim types that do not already exist.

It is defined in the optional claims of manifest Which is in the format: extension_<appid>_<attributename>.

  • The appid must match the ID of the application requesting the claim.

Ex: requesting skypeId : manifest

"optionalClaims": {
"idToken":
 [
{
            "name": "extension_ax60xxxxxxx2a17e237_skypeId",
            "source": "user",
            "essential": true

}
    ],
    "accessToken": [
        {
            "name": "extension_axxxxxxxxxxxxxa17e237_skypeId",
            "source": "user",
            "essential": true

        }
    ],
    "saml2Token": [
        {
        }
    ]

Reference: Provide optional claims to Azure AD apps - Microsoft Entra | Microsoft Docs

Or Make "acceptMappedClaims": true,in application manifest and Try using powershell command for claims mapping policy

example:

New-AzureADPolicy -Definition 
    @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":
    [{"Source":"user","ID":"employeeid","JwtClaimType":"patientid"}]}}') -DisplayName
    "ExtraClaimsPatientID" -Type "ClaimsMappingPolicy"

References:

  1. Azure AD - Adding Employeeid claims in Azure AD JWT token - Devonblog
  2. sharepoint - Azure AD Custom Claims in JWT - Stack Overflow
kavyaS
  • 8,026
  • 1
  • 7
  • 19