Azure AD: Roles claims missing in access token

Asked 30/8, 2017 at 9:38 Answered 7/9, 2023 at 14:41

Solved azure oauth-2.0 jwt azure-active-directory openid-connect

For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend. So I can get both, the id_token and the access_token, with a request to this url:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE

This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.

When I use this Url to only get an id_token, the role claims are included:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE

The difference is I request only the id_token and not the token and I leave out the resource parameter.

My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?

edit: This is how the approles are defined in the app's manifest:

{
  "appId": "MY_CLIENT_ID",
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "c200e304-fff3-49f1-a4df-e406741ea690",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "admin"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Reader",
      "id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "reader"
    }
  ],
  "availableToOtherTenants": false,
  ...
}

Fleisig answered 30/8, 2017 at 9:38 Comment(8)

I've never seen the token parameter used actually. Have you tried to do the same thing with authorization code grant flow? I.e. response_type=id_token+code, and then exchanging the code for an access token. – Spectacled 30/8, 2017 at 12:24

I will give it a try. So do you think this is a bug then? – Fleisig 30/8, 2017 at 12:45

Not sure, it seems pretty odd though. – Spectacled 30/8, 2017 at 12:45

Ok, I tried with response_type=id_token+code. With the code I grabbed the tokens from the token endpoint which gave me the access_token, refresh_token and id_token. Both access_token and id_token are lacking the role claims again. :( – Fleisig 30/8, 2017 at 13:1

Could you add how you have defined your roles in the question? A part of the manifest for example. – Spectacled 30/8, 2017 at 13:18

Sure, updated my question. – Fleisig 30/8, 2017 at 13:24

Did you try using the scope parameter within the Authorization Request and adding "appRoles"? – Crowther 31/8, 2017 at 8:20

I just tried it out, the roles do still not appear in any of the tokens. – Fleisig 31/8, 2017 at 8:55

I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.

As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.

Assist answered 31/8, 2017 at 6:49 Comment(6)

Thanks for looking into this. The problem is that - yes, I would get the roles with the id_token - but they still do not come with the access_token, even when acquiring it separately. – Fleisig 31/8, 2017 at 8:58

AFAIK, this kind of roles claim will not issue into access_token. The roles only issued issued in the access token when we request the access token using the client credentials flow which contains the permission which require admin consent. – Assist 31/8, 2017 at 9:25

The client-credentials flow is not user specific, as far as I can see. So how can there be roles of a specific user inside that access_token? – Fleisig 31/8, 2017 at 9:41

At present, there is no way to issue such claims in the access token. If you were developing web API, you may using the id_token instead of access token for the authentication as a workaround. – Assist 31/8, 2017 at 9:51

Microsoft discourages using authentication tokens for authorization – Antipyretic 4/12, 2020 at 6:39

@FeiXue-MSFT Using ID tokens instead of access tokens to access the API is a bad practice. Auth0 has a great documentation and explanation why: auth0.com/docs/tokens "Do not use ID tokens to gain access to an API." – Scott 11/2, 2021 at 6:33

To get the "roles" claim in the access token to authorize the user requests in your back-end, follow the steps in this guide: https://github.com/Azure-Samples/ms-identity-javascript-tutorial/blob/main/3-Authorization-II/1-call-api/README.md

You will register 2 apps, one for the client (browser) and one for the server (API).

Then the most important thing after completing the steps in the guide:

Go to your server app registration "manifest" > remove "emit_as_roles" from the "optional_claims.access_token" object:

Now the roles claim will appears in the access_token

Replevy answered 7/9, 2023 at 14:41 Comment(0)

Recommended topics

Hot tags