TOC
What is it
When a user authenticates to an app (e.g., MS Entra ID application), a custom claims provider can be used to add claims into the token. A custom claims provider is made up of a custom authentication extension that calls an external REST API (e.g., a Function App), to fetch claims from external systems (e.g., a Database). A custom claims provider can be assigned to one or many applications.
Claim: Please imagine it as features (or attributes) that belong to the end user. As it may involve sensitive information within the enterprise, the enterprise owner wishes to store this user information in the on-premises environment, while also hoping to retrieve and utilize it through the authentication process.
This service is suitable for the following scenarios:
1) It can be used as a transition for gradually migrating on-premises Active Directory to Microsoft Azure AD.
2) When user-sensitive information needs to be stored in an on-premises environment for various reasons.
Architecture
Procedure:
How to use it
A-1: Create a Function App from Azure portal
Choose ".NET 6 (LTS), in-process model" as the runtime and "Windows" as the OS.
A-2: Setup a local project via VSCode
dotnet add package Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents --prerelease
A-3: Add/Modify the sample code
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Extensions.Logging;
using Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.TokenIssuanceStart.Actions;
using Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.TokenIssuanceStart;
using Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents.Framework;
using Microsoft.Azure.WebJobs.Extensions.AuthenticationEvents;
namespace AuthEventTrigger
{
public static class Function1
{
[FunctionName("onTokenIssuanceStart")]
public static AuthenticationEventResponse Run(
[AuthenticationEventsTrigger(AudienceAppId = "TBA",
AuthorityUrl = "https://login.microsoftonline.com/TBA",
AuthorizedPartyAppId = "99045fe1-7639-4a75-9d4a-577b6ca3810f")]TokenIssuanceStartRequest request, ILogger log)
{
try
{
if (request.RequestStatus == RequestStatusType.Successful)
{
request.Response.Actions.Add(new ProvideClaimsForToken(
new TokenClaim("dateOfBirth", "01/01/2000"),
new TokenClaim("customRoles", "Writer", "Editor"),
new TokenClaim("apiVersion", "1.0.0"),
new TokenClaim("correlationId", request.Data.AuthenticationContext.CorrelationId.ToString())
));
}
else
{
log.LogInformation(request.StatusMessage);
}
return request.Completed();
}
catch (Exception ex)
{
return request.Failed(ex);
}
}
}
}
B-1: Register a custom authentication extension
Name: (e.g., CCP Token issuance event)
Target Url: The URL you've get from A-3 step 5.
Select Next.
Give the app a name (e.g., CCP Azure Functions authentication events API)
Select Next.
dateOfBirth
customRoles
apiVersion
correlationId
C-1: Configure an App to receive enriched tokens
Under Supported account types, select Accounts in this organizational directory only.
In the Select a platform dropdown in Redirect URI, select Web and then enter https://jwt.ms in the URL text box.
Select Register to complete the app registration.
Under Implicit grant and hybrid flows, select the ID tokens (used for implicit and hybrid flows) checkbox.
Select Save.
Set the acceptMappedClaims to true.
Set the accessTokenAcceptedVersion to 2.
Select Save to save the changes.
B-2: Assign a custom claims provider to your app
From the Overview page, navigate to Manage, and select Single sign-on.
Under Attributes & Claims, select Edit.
Expand the Advanced settings menu.
Next to Custom claims provider, select Configure.
Expand the Custom claims provider drop-down box, and select the (e.g., CCP Token issuance event) you created earlier.
Select Save.
Select Add new claim to add a new claim. Provide a name to the claim you want to be issued, for example dateOfBirth.
Under Source, select Attribute, and choose customClaimsProvider.dateOfBirth from the Source attribute drop-down box.
A-4: Protect your Azure Function
Select Workforce configuration (current tenant).
Under App registration select Pick an existing app registration in this directory for the App registration type, and pick the (e.g., CCP Azure Functions authentication events API).
Enter the following issuer URL, https://login.microsoftonline.com/{tenantId}/v2.0, where {tenantId} is the tenant ID you've get from C-1 step 4.
Under Client application requirement, select Allow requests from specific client applications, in Allowed client applications click edit button and add 2 app ids (The id you've get from B-1 step 8 and a fixed one 99045fe1-7639-4a75-9d4a-577b6ca3810f).
Under Identity requirement, select Allow requests from any identity.
Under Tenant requirement, select Use default restrictions based on issuer.
Under Unauthenticated requests, select HTTP 401 Unauthorized as the identity provider.
Unselect the Token store option.
Select Add to add authentication to your Azure Function.
A-5: Modify the sample code
B-3: Test
{tenantId} stands for the Tenant ID you've get from C-1 step 4
{App_to_enrich_ID} stands for the Application ID you've get from C-1 step 4
References
Custom claims provider overview - Microsoft identity platform | Microsoft Learn
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.