Thursday, October 08, 2015

AAD : The OpenID Connect / OAuth claims

There seems to be a lot of confusion regarding the claims delivered from Azure AD when you use the OWIN OpenID Connect plumbing.

I used the Github "WebApp-OpenIDConnect-DotNet" sample.

After authentication, I got back:


Notice that the top part of the claims follow the OAuth pattern e.g.

aud = audience
iss   = issuer
iat    = issued at

etc.

The bottom half (and there are others that didn't fit into the image) are the kind of claims that you get with claims-based identity e.g. the kind you get if you use the older WIF wrapper.

This isn't strictly OAuth but it does provide a way to "augment" the somewhat sparse OAuth claims set.

Also note that you do not get Roles OOTB.

To do this you need to change the AAD Application manifest.

Refer:

 Azure Active Directory Part 4: Group Claims

Or you could just use the good, old Azure AD Graph API.

Enjoy!

No comments: