I have successfully connected an OIDC flow with AzureAD, but unfortunately I’m unable to get family_name and given_name claims included in the token. I am requesting the following scopes: { "openid", "profile", "email", "offline_access" }
In the Azure App Registration page I have added the family_name and given_name to the manifest under optionalClaims both in idToken and accessToken, and even set them as essential – but they’re still not being returned:
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": true,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": true,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": true,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": true,
"additionalProperties": []
}
This Microsoft page says "These claims are always included in v1.0 Azure AD tokens, but not included in v2.0 tokens unless requested".
I’m using v2 and so I’ve also tried adding family_name and given_name to the scopes that I’m requesting in my OIDC call, but it fails and says those scopes don’t exist.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler:
‘invalid_client’, error_description: ‘AADSTS650053: The application ‘REMOVED’ asked for scope ‘given_name’ that doesn’t exist on the resource ‘00000003-0000-0000-c000-000000000000’.
Any suggestions on how I can get AzureAD to include those claims for me?
2
Answers
The
family_nameandgiven_nameclaims actually were being included in the token issued by AzureAD - I was only inspecting the final token issued by my local identity server.When I debugged the Callback method and inspected the AzureAD token, not the final token issued locally, I could access the claims from there.
In azure ad app registration , I have following optional claims added:
Manifest:
I recieved the error:
AADSTS650053%3a+The+application+%27kavyarepo%27+asked+for+scope+%27given_name%27+that+doesn%27t+exist+on+the+resource+%2xxx0-000000000000%27.+Contact+the+app+vendor.%0d%0aWhen i gave scope as
given_nameIt must be either
api://clientid/given_nameorapi://clinetid/.default.But generally users profile can be fetched with microsoft graph permissions:
check below steps:
With authorize endpoint:
https://login.microsoftonline.com/xxx/oauth2/v2.0/authorizeand client credentials,and scope for microsoft graph, i.e;
https://graph.microsoft.com/.defaultReceived code with below endpoint after the user logged in:
Then after, I used the code in token endpoint to receive access token :
https://login.microsoftonline.com/xxx/oauth2/v2.0/token?Client_id=9xx-4xxx7&client_secret=”xxx”&redirect_uri=https://jwt.ms&scope=https://graph.microsoft.com/.default&code=””When decoded the token at https://jwt.ms, received the claims along with optional claims
Make sure the scopes include: profile User.Read openid email which are microsoft graph permissions.
These should be granted admin consent to user while authenticating or through the portal: