Custom claims in msal.js access token

4
votes

I have secured my Angular 7 application by using msal.js. I've created a custom policy that returns custom claimtypes in the id_token and in the access_token. To achieve this, I've been following this tutorial: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw. When I use the acquireTokenSilent() msal.js method, the JWT token does not contain the custom claims (contract, fileUploadAllowed).

When I use the "Run Now" button on the Custom Policy pane in Azure, I do receive an access_token that has the custom claims.

The payload of the JWT token thats is generated by running the policy in Azure (Changed some of the values):

{
  "iss": "https://login.microsoftonline.com/guid/v2.0/",
  "exp": 1548416392,
  "nbf": 1548455092,
  "aud": "c152h904-835a-496f-8919-e74f5013374c",
  "contract": "Contract03",
  "fileUploadAllowed": false,
  "sub": "25a6ec11-16fd-477a-8917-e0728c69e1db",
  "nonce": "defaultNonce",
  "scp": "portal.read user_impersonation",
  "azp": "c154c904-835a-496f-8919-e74f5087384c",
  "ver": "1.0",
  "iat": 1542213053
}

The payload of the JWT token (access_token) that is generated by msal.js:

{
  "iss": "https://login.microsoftonline.com/guid/v2.0/",
  "exp": 1548416396,
  "nbf": 1548455092,
  "aud": "c152h904-835a-496f-8919-e74f5013374c",
  "sub": "25a6ec11-16fd-477a-8917-e0728c69e1db",
  "nonce": "e6df86c9-7c19-4cb5-a4ac-1aa2a89b1951",
  "scp": "portal.read user_impersonation",
  "azp": "c154c904-835a-496f-8919-e74f5087384c",
  "ver": "1.0",
  "iat": 1542213953
}

I want to receive the custom claims in the access_token that is generated by msal.js. Does anyone know what I should do in order to make this work?

Thank you.

1
angularazureazure-active-directoryazure-ad-b2cmsal.js
Hi @Forlux. What do you mean the access token that is "generated" by msal.js. It should pass the access token through from Azure AD B2C without manipulation of it. This otherwise invalidates the access token.Chris Padgett

1 Answers

3
votes

We came across this exact same issue just recently. Just like you, we've implemented our own Custom B2C Policies that would acquire some Custom Claims from our REST API and inject them into our JWT tokens. When tested in Azure using "Run Now" we'd see all our custom claims in both ID Token as well the Access Token. But in our SPA with MSAL Angular each time we silently acquired the Access Tokens they would be missing all our custom claims.

Upon some research, we found that the issue was that none of our custom claims were persisted in the AD Session, hence the reason for missing custom claims.

We've solved it by overriding the "SM-AAD" Technical Profile in our TrustFrameworkExtensions file and specifying which claims we wanted to persist in the session, e.g. you have to add your custom claims to the PersistedClaims collection.

Hope this helps.