Azure OAuth2 Code Flow, groups claim is not in access token, but in id token

0
votes

I added groups claim to both access and id tokens. image: groups claims added to both token on portal

I also confirmed they are defined in the manifest and groupMembershipClaims = SecurityGroup:

    "groupMembershipClaims": "SecurityGroup",
    "optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": []
    },

When I fetch the tokens. The groups claim is in the id token, but not in the access token. Is this an ADD bug? I have spent hours in googling and trying. Nothing worked for me so far.

Access Token

  "oid": "ab7160f43-3595-4b82-abad-3a750ds95b039",
  "platf": "3",
  "puid": "100322000B4FFA971",
  "scp": "openid profile email",
  "sub": "Dd9iRENxMc6sFSOLpqvW-dfLQGgDDUiBvuk4M9PsVus8",
  "tid": "2ed2c5sdf-19e7-4eb3-bfb7-eb26560fb1cc",
  "unique_name": "xxxxxxxxxxx",
  "uti": "D9cxwcvwRUCqmuLTbdd4IOAA",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012a177145310",
    "9b895d92-2cd3-44c7-9d02-a6ac2d5eag2c3",
    "c4e39bd9-1100-46d3-8c65-fb16d0da0071f"
  ],
  "xms_st": {
    "sub": "KH969M9F0-jgY2_dA89JzIkvDnt-OsBqltYKxnZv1qc"
  },
  "xms_tcdt": 1587429781
}.[Signature]

Id token

  "iat": 1590181245t,
  "nbf": 15901821456,
  "exp": 15901855353,
  "groups": [
    "636c4e93-0a20-419a-9294-df537346bcda3",
    "837c721c-83e6-4e20-8a35-2545d53043b28",
    "95d05d16-f75a-415a-9c22-846b361777bcd",
    "e1c42670-0726-4e5d-a9bd-8be2cc8776c55",
    "d324302a-470c-4236-b818-c7706f840dc3",
    "ba6f4d61-3927-452e-b2fe-90a5486033537"
  ],
  "idp": "xxxxxx",
  "sub": "KH969M9dF0-jgY2_dA89JzIkvDnH-OsBqltYKrxnZv1qc",
  "tid": "2ed2tc5df-19e7-4e2b3-bfsb7-eb26a560fb1cc",
  "uti": "D9cxwcvwRUCqmruLTb4IOAA",
  "ver": "2.0",
  "wids": [
1
azureoauth-2.0tokenportal

1 Answers

0
votes

When you say you want groups in the access token, that only applies to access tokens meant for that app. The access token you show is probably not meant for your app, but another API, that has not defined that it wants groups in the token.

If you need group info in the front-end application, get them from id token. If you need them in back-end, you need to acquire a token for your API, and define that you want groups in the access tokens for that API. You define the API the token is for with the resource/scope parameter when acquiring a token. If you are using v1 endpoint, you define the client id or app ID URI as the resource. If you are using v2 endpoint, then you use the scopes defined in the Expose an API tab of the API app registration.