question

BalakrishnaSudabathula-2499 avatar image
0 Votes"
BalakrishnaSudabathula-2499 asked ·

How do we get the Scope Claim in the JWT Token

We are using new version 2.0 endpoint and it needs to be applied only on the API resource application.

It is important to mention that AAD Application Permissions allow a broad access to tenant-wide resources, so authenticated clients requesting authorization for any available resource in the same tenant will still receive a valid JWT with [aud] claim value of that respective resource.

This means we can’t rely on [aud] claims when enforcing access control; instead we will rely on the Scope claims issued by AAD according to the explicitly granted application permissions to clients.

We have to use Scope based API permissions, but it is not showing in the SCOPE CLAIM in the JSON web token( decoded ). But if you go with the Role based Permission you can see Roles Claim details. Below is the latest update from Microsoft , AppRoles is currently under preview and which is stopping us to go with this route.

UPDATE: November 2020
[appRoles] Azure AD application attribute is now available (in preview) in the portal UI, so alternatively you could change and view the application roles through Azure portal UI settings.

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized API Call">
<openid-config url="https://login.microsoftonline.com{TenantID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{WeatherAPIApplicationID}</audience>
</audiences>
<required-claims>
<claim name="roles">
<value>Weather.ReadAll</value>
</claim>
</required-claims>
</validate-jwt>

Is there any way to get the API Permission Scope Claim in JSON web token using the client credential workflow ?

azure-active-directory
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


It is not a good idea to use AppRoles to get the API Permissions since it is under preview. If you go with authorization code grant flow which is used to fetch access-tokens in users' context .

What is the best wat to get the Scope Claim using application context with out the AppRoles?

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @BalakrishnaSudabathula-2499 · Thank you for reaching out.

When you acquire a token under user context, permissions are included in the Scope (SCP) claim and AppRoles are added as Roles claim within the Access Token. However, when the token is requested under application context via Client Credentials flow, permissions are added as Roles claim and not as Scope claim.

This behavior is as per design and you can't get scope claim in Application's access token. To resolve the 401 error, you need to update your application's code to do the authorization based on Roles claim instead of Scope claim or configure it to look for both claims and perform authorization based on whichever claim is present in the Access token.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BalakrishnaSudabathula-2499 avatar image
0 Votes"
BalakrishnaSudabathula-2499 answered ·

I have only one concern to go with Role claims , which is under Preview . Do you have any idea when it will be approved for public use?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.