I am working on an SPA (Blazor wasm), that uses AzureAD/EntraID with "authorization code flow".
The app is hosted in an ASP.NET Core 8 Web API service, that exposes some simple APIs for now. I have configured the app to request and attach downstream access token (based on this). The access token is reaching the endpoint. So far so good.
But I also want to use application roles. I have configured them, and I do get them in the ID token (just for reference). But I need those roles on the backend side as well.
How can I include that (or any other claim for that matter from the identity token) into the downstream token?
[Update]
I have figured it out. The issue was that I requested the access token to something else. I had to do the following:
And now the roles are included in the access token because the token is intended for the same application. Indeed, roles unknown to the other API are useless to include.
To get app roles in the access token, check the below:
Expose an API and add scope in the Microsoft Entra ID application:
Created App role:
Grant API permissions as below:
In the Enterprise application, assign a user to this app role:
For sample, generated tokens for the API via Postman by using below parameters:
POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
client_secret:ClientSecret
scope:api://xxx/.default
code:code
redirect_uri:https://jwt.ms
When I decoded roles claim is displayed in the access token:
If still the issue persists, check below: