I am trying to use ADFS 2016 with OpenID Connect authentication from a native Android App to obtain an ID Token. The ID Token will then be offered to my server as proof of who the user is and some additional properties (e.g. email, first/last names) as claims.
The ID Token must contain the custom claims - this is my sticking point.
I have configured an Application Group in ADFS and added a Native App and a Web API.
I have represented my server in ADFS as a Web API as it allowed me to specify the custom claim rules. In addition to the custom claim rules I have also set the permitted scopes for my Native Application to 'openid profile email allatclaims'
The Android library I have been using is the OpenID AppAuth library - it all works brilliantly except the ID Token does not have the additional claims inside.
The Android App is using a grant type of Code using the client ID from the Native App in ADFS. I have set the 'aud' param to be the identifier of the Web API.
I just can’t see what I’m missing which will cause the client to receive an ID Token with these custom claims.
As an additional test I created a macOS app using MS ADAL and that successfully provided the custom claims, but they were in an access_token and it had used SAML.
