How do we get the Scope Claim in the JWT Token

Balakrishna Sudabathula 21 Reputation points
2021-03-19T07:22:31.343+00:00

We are using new version 2.0 endpoint and it needs to be applied only on the API resource application.

It is important to mention that AAD Application Permissions allow a broad access to tenant-wide resources, so authenticated clients requesting authorization for any available resource in the same tenant will still receive a valid JWT with [aud] claim value of that respective resource.

This means we can’t rely on [aud] claims when enforcing access control; instead we will rely on the Scope claims issued by AAD according to the explicitly granted application permissions to clients.

We have to use Scope based API permissions, but it is not showing in the SCOPE CLAIM in the JSON web token( decoded ). But if you go with the Role based Permission you can see Roles Claim details. Below is the latest update from Microsoft , AppRoles is currently under preview and which is stopping us to go with this route.

UPDATE: November 2020
[appRoles] Azure AD application attribute is now available (in preview) in the portal UI, so alternatively you could change and view the application roles through Azure portal UI settings.

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized API Call">
<openid-config url="https://login.microsoftonline.com{TenantID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{WeatherAPIApplicationID}</audience>
</audiences>
<required-claims>
<claim name="roles">
<value>Weather.ReadAll</value>
</claim>
</required-claims>
</validate-jwt>

Is there any way to get the API Permission Scope Claim in JSON web token using the client credential workflow ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-03-19T16:42:49.987+00:00

    Hi @Balakrishna Sudabathula · Thank you for reaching out.

    When you acquire a token under user context, permissions are included in the Scope (SCP) claim and AppRoles are added as Roles claim within the Access Token. However, when the token is requested under application context via Client Credentials flow, permissions are added as Roles claim and not as Scope claim.

    This behavior is as per design and you can't get scope claim in Application's access token. To resolve the 401 error, you need to update your application's code to do the authorization based on Roles claim instead of Scope claim or configure it to look for both claims and perform authorization based on whichever claim is present in the Access token.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Balakrishna Sudabathula 21 Reputation points
    2021-03-19T17:10:33.15+00:00

    I have only one concern to go with Role claims , which is under Preview . Do you have any idea when it will be approved for public use?

    0 comments