question

mihaelsafaric-0861 avatar image
0 Votes"
mihaelsafaric-0861 asked ·

How to change value of the audience claim in access token

Hi,

we are creating a flow in Azure AD B2C by using custom policies. By default, access_token contains an audience claim (named aud) which has the value set to the application ID.

We would like to change that value by attaching an additional string to it, ie. aud="applicationID OUR_CUSTOM_ID".

In order to achieve that, we would need to read the aud claim value in the custom policy and then set the aud claim to a new value.
We haven't been successful with neither of those two things, so the questions are:
- how to set a new value to the aud claim for the access token?
- how to read the value of the aud claim from the access token?

Thanks.


azure-ad-b2c
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not sure if this can be done since the claim is defined by the issuer. https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/id-token-hint.md

@JasSuri-5387 do you have any insights around this one?

0 Votes 0 ·

1 Answer

JasSuri-5387 avatar image
1 Vote"
JasSuri-5387 answered ·

The only way I can see this being resolved, but not optimally is as follows:

In the relyingParty section, add the aud claim yourself with a defaultValue.

xml
<OutputClaim ClaimTypeReferenceId="aud" DefaultValue="applicationID OUR_CUSTOM_ID"  AlwaysUseDefaultValue="true"/>


Downside is that the Relying party is fixed regardless of the clientId used in the auth request.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MarileeTurscak , @JasSuri-5387 thank you for the answers.

Unfortunately, the proposed workaround does change the value of the aud claim in the id_token but not in the access_token.

0 Votes 0 ·