1

I am attempting to use the MSAL python library to call another custom api in Azure(Exposed through AppRegistration with an API scope exposed).

I am writing a daemon application that will make the request. Following Azure documentation here:

https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration?tabs=python

The last example on this Azure docs suggests you can add assertions about custom claims such as client_ip that would be returned in the token.

Similarly, I would like the preferred_username claim to be set to Test as an example:

app = msal.ConfidentialClientApplication(
    config["client_id"], authority=config["authority"],
    client_credential={"thumbprint": config["thumbprint"], "private_key": open(
        config['private_key_file']).read()},
    client_claims={"preferred_username": "Test"}
)

However, When I acquire the token using the following code, the preferred_username claim is not within the Token.

result = app.acquire_token_for_client(scopes=config["scope"])

Within the app registration for the daemon app I have added preferred_username as an optional claim (for access tokens).

I am not sure what is wrong with my approach or if I have misinterpreted the intent of client_claims?

Anon957
  • 539
  • 2
  • 6
  • 24
  • 1
    Did you Add the optional claim in the Token configuration in Azure Portal? – Rukmini Dec 16 '22 at 05:45
  • @Rukmini yes, I have added the `preferred_username` optional claim for in the Azure portal (in the App Registration for the Daemon App). – Anon957 Dec 16 '22 at 05:49
  • 3
    So just to confirm are you using client_credential grant type? Please refer this https://stackoverflow.com/questions/72867440/graph-client-azure-ad-jwt-custom-claims/72880453#72880453 and https://stackoverflow.com/questions/72543025/add-custom-value-in-upn-claim-in-access-token-generated-using-azure-ad-client-cr/72544673#72544673 – Rukmini Dec 16 '22 at 05:51
  • 1
    @Rukmini I'm using client credential flow. However, the microsoft documentation I linked (https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration?tabs=python) suggests I can set custom values for claims such as `preferred_username`. I have followed what is said in this link (https://stackoverflow.com/questions/72543025/add-custom-value-in-upn-claim-in-access-token-generated-using-azure-ad-client-cr/72544673#72544673). I am still unsure how I can use it to allow my Daemon app to set a custom value for `preferred_username `. – Anon957 Dec 16 '22 at 05:59
  • It's not about MSAL, are you using user flows or custom policies? Your Relaying Party must add the corresponding claims to the final Token in your workflow. Are u using AAD or B2C? – Juanma Feliu Dec 20 '22 at 10:58
  • @JuanmaFeliu I am using user flows with AAD – Anon957 Dec 25 '22 at 10:15

1 Answers1

1

I tried to reproduce the same in my environment and got the results like below:

I created an Azure AD Application and configured custom preferred_username claim:

enter image description here

I generated the token via Postman by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

enter image description here

Optional claims are not included in the token like below:

enter image description here

Note that: Getting optional claim is only possible with Authorization code flow, ROPC flow, Implicit flow. Currently, Client Credentials flow does not support adding any additional custom claims.

Client Credentials flow fetch the token in the application's context and won't have any user-related claims like preferred_username, given_name or email, etc. So, you have to generate the token in the user's context to get the claims.

Alternatively, I generated the Access Token using the endpoint like below:

https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=redirecturi&scope=user.read&response_mode=fragment&state=12345&nonce=678910

Optional claims are included in the token like below:

enter image description here

Reference:

Client assertions (MSAL) - Microsoft Entra | Microsoft Learn

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • Thanks for the detailed response, however this does not solve how to get this token using the MSAL Python library which I would like to do. The endpoint used in your `Alternatively` example has a redirect parameter which a Daemon app does not have. – Anon957 Dec 17 '22 at 05:37
  • 1
    Please check this https://learn.microsoft.com/en-us/answers/questions/113893/optinal-34upn34-claim-missed-in-token-requested-by.html – Rukmini Dec 18 '22 at 05:13