Question 105386 in Azure Question posted in
The official documentation to get you started can be found here.

Azure AD returns claims in a different format than expected

I am encountering an issue where Azure AD is returning claims in a format that is unexpected. I think the difference is between version 1 and version 2 of the claims object getting returned. I have looked through the Azure portal for an app setting that deals with this and done various Innerwebs searches but can’t find an answer regarding how to return a particular version instead of another.

I am expecting to get back claims formatted similar to this :

  "AuthenticationType": "Cookies",
  "IsAuthenticated": true,
  "Actor": null,
  "BootstrapContext": null,
  "Claims": [
    {
      "Issuer": "https://login.microsoftonline.com/xxx/v2.0",
      "OriginalIssuer": "https://login.microsoftonline.com/xxx/v2.0",
      "Properties": {},
      "Type": "aud",
      "Value": "yyy",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string"
    } 
    ... etc.

What I am getting is this :

{
  "System.Security.ClaimsIdentity.version": "1.0",
  "System.Security.ClaimsIdentity.nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "System.Security.ClaimsIdentity.roleClaimType": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
  "System.Security.ClaimsIdentity.claims": "Encrypted value here",
  "m_userToken": {
    "value": 0
  }
}

Any help is greatly appreciated.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This turned out to be a data integrity issue. Our customer's Azure AD client id was entered with a trailing space. The neither the web app nor Azure trims the string. Once the trailing space was removed everything works as expected.


  2. 0

    how to return a particular version instead of another.

    You may have to change the accessTokenAcceptedVersion part of the manifest to 2 if you want a V2 access token. If its value is null or 1, that means your app will only accept the v1 token.

    enter image description here

    But please note that scopes for microsoft graph api , always returns version 1 tokens.

    For example User.Read is an access token for MS Graph and those are
    always V1 access tokens. That means the token is for the Microsoft
    Graph, not for your particular API. To get a token for your backend API,
    try to invoke
    acquireTokenSilent and pass the scopes for that API.

    The v2 authorization endpoint is
    https://login.microsoftonline.com/tenantid/oauth2/v2.0/authorize and
    v2 token endpoint is https://login.microsoftonline.com/tenantid/oauth2/v2.0/token

    wheere as the v1 authorization endpoint is like:
    https://login.microsoftonline.com/tenantid/oauth2/authorize?
    and v1 token endpoint: https://login.microsoftonline.com/tenantid/oauth2/token

    References:

    1. how-to-get-access-token-version-2
    2. V1 and V2 Identity and Access tokens with Azure Active Directory
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search