1

I'm using the auth endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token programmatically (Nodejs) for getting back a token that will be used against my API. I have everything properly configured to send the request using a "Client secret" I setup on the Azure Portal - App registration service.

This issues a valid token that I can later check with the help of the Passport azure AD npm library. However I've been looking for a way of somehow adding more metadata to that token (i.e. a custom user name) so that when it gets validated and parsed by my server upon future requests I can extract this information.

When issuing tokens using a frontend application library (like msal) I have access to some of the user's information on the token (like its oid and email address). I'd like to be able to "extend" the token generated by the client secret to also contain a couple custom fields, which I can use after validating and parsing it.

Hopefully that's clear enough. I'm lost on how to achieve this. Thanks

Farid Hajnal
  • 253
  • 4
  • 15

1 Answers1

0

It is a common requirement for APIs to authorize based on claims stored in the business data, eg roles or other custom data.

OPTION 1

Ideally the authorization server can reach out at the time of token issuance to an API or database to include the custom claims. This is not always supported though.

OPTION 2

Another option is for the API to process the incoming access token into a ClaimsPrincipal and to include custom values at that point. For an example see this code of mine.

PRIVACY

When adding more claims, you should also be careful about revealing sensitive data in JWTs returned to internet clients. Eg if you include names and emails, they are easily readable, and this can sometimes be a security concern.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24