AAD: ifEmpty ClaimsTransformation in JWT token

  Kiến thức lập trình

I am trying to add custom claim for JWT token with the following logic:

  1. If claim “userprincipalname” is present, it should be in result claim.
  2. If “userprincipalname” is missing, claim “objectid” should be returned.

According to the MS documentation, ifEmpty function is a good candidate for that.
The description says the following:

Outputs an attribute or constant if the input is null or empty. For example, if you want to output an attribute stored in an extension attribute if the employee ID for a user is empty. To perform this function, configure the following values: Parameter 1(input): user.employeeid, Parameter 2 (output): user.extensionattribute1, and Parameter 3 (output if there's no match): user.employeeid.

Unfortunately there is no example of using of ifEmpty function, just simple ones.

I tried the following:

{
  "ClaimsMappingPolicy": {
    "Version": 1,
    "IncludeBasicClaimSet": "true",
    "ClaimsSchema": [
      {
        "Source": "application",
        "ID": "objectid",
        "JwtClaimType": "prn1"
      },
      {
        "Source": "user",
        "ID": "userprincipalname",
        "JwtClaimType": "prn2"
      },
      {
        "Source": "transformation",
        "TransformationID": "userOrApp",
        "ID": "newsub",
        "JwtClaimType": "prn"
      }
    ],
    "ClaimsTransformations": [
      {
        "ID": "userOrApp",
        "TransformationMethod": "IfEmpty",
        "InputClaims": [
          {
            "ClaimTypeReferenceId": "userprincipalname",
            "TransformationClaimType": "inputClaim1"
          },
          {
            "ClaimTypeReferenceId": "objectid",
            "TransformationClaimType": "inputClaim2"
          },
          {
            "ClaimTypeReferenceId": "usertype",
            "TransformationClaimType": "inputClaim3"
          }
        ],
        "OutputClaims": [
          {
            "ClaimTypeReferenceId": "newsub",
            "TransformationClaimType": "outputClaim"
          }
        ]
      }
    ]
  }
}

and added it as a AzureADPolicy:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"application","ID":"objectid","JwtClaimType":"prn1"},{"Source":"user","ID":"userprincipalname","JwtClaimType":"prn2"},{"Source":"transformation","TransformationID":"userOrApp","ID":"newsub","JwtClaimType":"prn"}],"ClaimsTransformations":[{"ID":"userOrApp","TransformationMethod":"IfEmpty","InputClaims":[{"ClaimTypeReferenceId":"userprincipalname","TransformationClaimType":"inputClaim1"},{"ClaimTypeReferenceId":"objectid","TransformationClaimType":"inputClaim2"},{"ClaimTypeReferenceId":"usertype","TransformationClaimType":"inputClaim3"}],"OutputClaims":[{"ClaimTypeReferenceId":"newsub","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "newsub" -Type "ClaimsMappingPolicy"

The policy is being created successfully, but “prn” token never appears in result JWT token, althout simpler solutions like toUpper work perfectly, e.g.:

{
  "ClaimsMappingPolicy": {
    "Version": 1,
    "IncludeBasicClaimSet": "true",
    "ClaimsSchema": [
      {
        "Source": "application",
        "ID": "objectid",
        "JwtClaimType": "prn1"
      },
      {
        "Source": "user",
        "ID": "userprincipalname",
        "JwtClaimType": "prn2"
      },
      {
        "Source": "transformation",
        "TransformationID": "toUpperCase",
        "ID": "newsub",
        "JwtClaimType": "prn"
      }
    ],
    "ClaimsTransformations": [
      {
        "ID": "toUpperCase",
        "TransformationMethod": "ToUppercase",
        "InputClaims": [
          {
            "ClaimTypeReferenceId": "userprincipalname",
            "TransformationClaimType": "sourceClaim"
          }
        ],
        "OutputClaims": [
          {
            "ClaimTypeReferenceId": "newsub",
            "TransformationClaimType": "outputClaim"
          }
        ]
      }
    ]
  }
}

It seems that the issues is that I provide to input claims (inputClaim1, inputClaim2), but according to the description it should be 1 input parameter and 2 output ones, but I did not find any example of such syntax. How proper policy definition should be written?

LEAVE A COMMENT