Azure AD: Roles claims missing in access token

7
votes

For my application, I want users to be able to sign in with their Azure Account (Single Sign On). I also need an access token to access the secured backend. So I can get both, the id_token and the access_token, with a request to this url:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token+token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&resource=MY_CLIENT_ID&nonce=SOME_NONCE

This basically works, but I also want to have the roles in the access token (and in the id token), but the roles are not included in the tokens I receive.

When I use this Url to only get an id_token, the role claims are included:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?response_type=id_token&client_id=MY_CLIENT_ID&state=SOME_STATE&redirect_uri=MY_REDIRECT_URI&scope=openid profile&nonce=SOME_NONCE

The difference is I request only the id_token and not the token and I leave out the resource parameter.

My questions are: Why are the role claims not included in the tokens of the first request? What are my options to get id_token and the access_token with the roles claims?

edit: This is how the approles are defined in the app's manifest:

{
  "appId": "MY_CLIENT_ID",
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "c200e304-fff3-49f1-a4df-e406741ea690",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "admin"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Reader",
      "id": "c534f351-b343-48d0-9dd7-ecb4c5cb402d",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "reader"
    }
  ],
  "availableToOtherTenants": false,
  ...
}
1
azureoauth-2.0jwtazure-active-directoryopenid-connect
I've never seen the token parameter used actually. Have you tried to do the same thing with authorization code grant flow? I.e. response_type=id_token+code, and then exchanging the code for an access token.juunas
I will give it a try. So do you think this is a bug then?Hinrich
Not sure, it seems pretty odd though.juunas
Ok, I tried with response_type=id_token+code. With the code I grabbed the tokens from the token endpoint which gave me the access_token, refresh_token and id_token. Both access_token and id_token are lacking the role claims again. :(Hinrich
Could you add how you have defined your roles in the question? A part of the manifest for example.juunas

1 Answers

1
votes

I can also reproduce the issue. Not sure this a bug or by design and I found this issue only occur when we acquire the token for the app self. For example, if we replace the resource with Azure AD Graph, the role claims could issued in the id_token successfully.

As a workaround for this issue, I suggest that you acquire the id_token in the first request. And then you can acquire the access token in the iframe using adal library without user interaction since the users already sign-in.