ADAL JavaScript: Adding additional claims (ADAL JS)

1.4k views Asked by At

I ran the ADAL JS sample SPA project from Github against my Azure AD.

That works well, but I want to add claims to the token after authentication.

In the SPA sample, you add middle-ware as follows:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:Audience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });

From here, do you have to add additional OAuth middleware to get access to something like Notifications to get to the ClaimsIdentity and AddClaim?

2

There are 2 answers

0
vibronet On BEST ANSWER

You can use the TokenValidationParamenters. See ValidateToken or TokenValidationParameters.CreateClaimsIdentity

0
Leniel Maccaferri On

I found a great sample that handles exactly this... the magic happens inside Provider = new OAuthBearerAuthenticationProvider.

You see that additional claims are added to identity.

// Add bearer token authentication middleware.
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
  // The id of the client application that must be registered in Azure AD.
  TokenValidationParameters = new TokenValidationParameters { ValidAudience = clientId },
  // Our Azure AD tenant (e.g.: contoso.onmicrosoft.com).
  Tenant = tenant,
  Provider = new OAuthBearerAuthenticationProvider
  {
    // This is where the magic happens. In this handler we can perform additional
    // validations against the authenticated principal or modify the principal.
    OnValidateIdentity = async context =>
    {
      try
      {
        // Retrieve user JWT token from request.
        var authorizationHeader = context.Request.Headers["Authorization"].First();
        var userJwtToken = authorizationHeader.Substring("Bearer ".Length).Trim();

        // Get current user identity from authentication ticket.
        var authenticationTicket = context.Ticket;
        var identity = authenticationTicket.Identity;

        // Credential representing the current user. We need this to request a token
        // that allows our application access to the Azure Graph API.
        var userUpnClaim = identity.FindFirst(ClaimTypes.Upn);
        var userName = userUpnClaim == null
          ? identity.FindFirst(ClaimTypes.Email).Value
          : userUpnClaim.Value;
        var userAssertion = new UserAssertion(
          userJwtToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);

        // Credential representing our client application in Azure AD.
        var clientCredential = new ClientCredential(clientId, applicationKey);

        // Get a token on behalf of the current user that lets Azure AD Graph API access
        // our Azure AD tenant.
        var authenticationResult = await authenticationContext.AcquireTokenAsync(
          azureGraphApiUrl, clientCredential, userAssertion).ConfigureAwait(false);

        // Create Graph API client and give it the acquired token.
        var activeDirectoryClient = new ActiveDirectoryClient(
          graphApiServiceRootUrl, () => Task.FromResult(authenticationResult.AccessToken));

        // Get current user groups.
        var pagedUserGroups =
          await activeDirectoryClient.Me.MemberOf.ExecuteAsync().ConfigureAwait(false);
        do
        {
          // Collect groups and add them as role claims to our current principal.
          var directoryObjects = pagedUserGroups.CurrentPage.ToList();
          foreach (var directoryObject in directoryObjects)
          {
            var group = directoryObject as Group;
            if (group != null)
            {
              // Add ObjectId of group to current identity as role claim.
              identity.AddClaim(new Claim(identity.RoleClaimType, group.ObjectId));
            }
          }
          pagedUserGroups = await pagedUserGroups.GetNextPageAsync().ConfigureAwait(false);
        } while (pagedUserGroups != null);
      }
      catch (Exception e)
      {
        throw;
      }
    }
  }
});