Azure AD different number of client and server claims

0
votes

We need to integrate AzureAD authentication flow into our existing project. So I found the sample code available at here . It basically contains two web projects. A MVC project as Client and Web API as Server.

We though of using "upn" claim from JWT token to uniquely identify the logged in user. I ran the sample code and was able to authenticate the user in Azure AD. When i inspect the Access token i got from AAD at jwt.io the claims section doesn't contain the "upn" but i was able to retrieve the "upn" on the client using ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn). Added this access token as bearer authorization header and made a call to web api. Here I am not able to retrive the "upn" claim using ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn). The value is null for this claim. Do i need to do any additional configuration to get on server side. As of now I am able to retrieve upn only on the client side.

1
asp.net-web-apijwtclaims-based-identityazure-active-directory
You need to show how you have configured authentication on the API side. Is the access token you fetched meant for the API? (i.e. is its audience claim set to the app id URI of the API)juunas
@juunas Yes the the Audience value is the AppID URI of the API. As I said Its a sample project downloaded from Git. I just changed the web.config values for Audience and TenantID keys.Abhilash Bandi

1 Answers

1
votes

The example project in question:

calls a web API under the application's identity, instead of the user's identity

At line 95 of TodoListController it gets the token with:

result = await authContext.AcquireTokenAsync(todoListResourceId, clientCredential);

It is calling the API as itself, so it is an app-only call, not a delegated call. Thus there is no UPN. You would find an appid claim though that identifies the calling app.

Check this other example that makes delegated calls to the API: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/Controllers/TodoListController.cs

As you can see there the call acquiring the token is quite different:

string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

Note that the authentication configuration is also different: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs.