question

AzureSDE-3924 avatar image
0 Votes"
AzureSDE-3924 asked SalagameRaghavendra-5052 commented

How to retreive application display name from an oauth access token?

We have internal client applications that access our asp.net core web api using Oauth Client Credential flow. We want to be able log the name of the client application that submits the request. However, the application name (the display name on the azure application registration) is not included in the access token. I am guessing we could use the value of the claim 'azp', which appears to be the object id of the client application. However, I am not sure if this is the right approach since I could not find an MSAL class/method that would let me access the application name.

What's the best way to get the name of the client application when the access token only contains the object/client id?

azure-active-directoryazure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AzureSDE-3924 , we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·
Danstan-MSFT avatar image
0 Votes"
Danstan-MSFT answered SalagameRaghavendra-5052 commented

There is a similar thread here that should help. You are able to configure what claims are in the access token and customize them. Quoting from the docs:

Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is the Microsoft Graph API. Thus, the access token is created using the Microsoft Graph API manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for the Microsoft Graph API to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.

Check How to: Provide optional claims to your app for and Customize claims emitted in tokens for a specific app in a tenant to see if these can help.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. We are going to test this out.

0 Votes 0 ·

can you please provide me steps to get the display-name in the token

0 Votes 0 ·
AzureSDE-3924 avatar image
0 Votes"
AzureSDE-3924 answered AzureSDE-3924 edited

Could someone please point me to where I can find a sample of the ClaimsSchema for application with 'application name' as a custom claim? Based on the sample active-directory-claims-mapping but the ClaimsSchema, this is what I have but I do not see 'appname' listed in the access token. I expected to see a new claim 'appname' added to the access token with the value of the application display name on the app registrations.

 New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"MyApiClaimsMappingPolicy":"true", "ClaimsSchema": [{"Source":"application","ID":"applicationName","JwtClaimType":"app_displayname","JwtClaimType":"appname"}]}}') -DisplayName "MyApiClaimsMappingPolicy" -Type "ClaimsMappingPolicy"




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.