I have (what I hope) is a fairly straight forward question:
I'm using the AzureAD (brand new to it) Client Credentials flow. I want to add the (displayName or ApplicationID URI) as a claim in the access_token as I want the human readable client_id for logging.
This started because the subject (sub) is the uuid of the client and is immutable (best I can tell). Sure, no worries, so instead I just want to add another claim to the access_token of the displayName or the Application ID URI of the client. I want to use this for logging purposes. I have clicked through most of the AzureAD docs, stackoverflow, google, etc, but it appears my question is too specific so I can't find it.
I looked through the optional claims, but these seem focused on the user's info (I have no users, this is all service to service). https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Am I overlooking something obvious here?
Thanks!
Here is the claims in the token, I have redacted the claims as much as possible.
- POST: https://login.windows.net/00000002-0000-0000-c000-000000000000/oauth2/v2.0/token
- Content-Type: application/x-www-form-urlencoded
- Body: client_id, client_secret, scope
{
"header": {
"alg": "RS256",
"kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
"typ": "JWT",
"x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
},
"payload": {
"aud": "test-audience",
"iss": "https://sts.windows.net/00000002-0000-0000-c000-000000000000/",
"iat": 1614866520,
"nbf": 1614866520,
"exp": 1614870420,
"aio": "<snip>",
"appid": "6644659a-0000-0000-c000-000000000000",
"appidacr": "1",
"idp": "https://sts.windows.net/00000002-0000-0000-c000-000000000000/",
"oid": "<snip>",
"rh": "0.AAAA<snip>",
"roles": [
"test-role",
],
"sub": "01b32d39-0000-0000-c000-000000000000",
"tid": "00000002-0000-0000-c000-000000000000",
"uti": "<snip>",
"ver": "1.0"
}
}
