Thursday, October 08, 2015

AAD : The OpenID Connect / OAuth claims

There seems to be a lot of confusion regarding the claims delivered from Azure AD when you use the OWIN OpenID Connect plumbing.

I used the Github "WebApp-OpenIDConnect-DotNet" sample.

After authentication, I got back:

Notice that the top part of the claims follow the OAuth pattern e.g.

aud = audience
iss   = issuer
iat    = issued at


The bottom half (and there are others that didn't fit into the image) are the kind of claims that you get with claims-based identity e.g. the kind you get if you use the older WIF wrapper.

This isn't strictly OAuth but it does provide a way to "augment" the somewhat sparse OAuth claims set.

Also note that you do not get Roles OOTB.

To do this you need to change the AAD Application manifest.


 Azure Active Directory Part 4: Group Claims

Or you could just use the good, old Azure AD Graph API.


No comments: