Custom OIDC claims in JWT token for Azure AD [PART 2]

arenk · September 27, 2023, 1:46pm

Custom OIDC claims now seem to be supported using the Azure AD integration See documentation 3.7:

Under Optional configurations, enter custom OIDC claims that you wish to add to your Access application token.

I’ve added a few optional claims which are now part of the identity part of the global session token:

...
"oidc_fields": {
    "roles": [
      "XY_ADMIN"
    ],
    "family_name": "abc",
    "given_name": "def"
}
...

However, contrary to what is stated in the documentation (see above), the custom claims are not part of the access application token and therefore cannot be processed by the actual application.

Am I missing something here?

EDIT: See Access JWTs documentation for clarification on what I’m referring to with global session token & application token

arenk · September 29, 2023, 6:04am

JWT payload via CF_Authorization cookie @ global session scope (with oidc_fields)

{
  "aud": [
    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  ],
  "email": "xxxx",
  "account_id": "1234123234234234",
  "exp": 1695988661,
  "iat": 1695967061,
  "nbf": 1695967061,
  "iss": "https://xxxxxx.cloudflareaccess.com",
  "sub": "aaaaaaaaaaa",
  "identity": {
    "id": "aaaaaaaaaaa",
    "name": "X Y",
    "email": "[email protected]",
    "amr": [
      "pwd",
      "fido",
      "mfa"
    ],
    "oidc_fields": {
      "roles": [
        "X_ADMIN"
      ],
      "family_name": "X",
      "given_name": "Y"
    },
    "idp": {
      "id": "aaaaaaaaaaa",
      "type": "azureAD"
    },
    "geo": {
      "country": "DE"
    },
	.......
  },
  "type": "org",
  "identity_nonce": "abcdef"
}

JWT payload via CF_Authorization cookie @ application token (no oidc_fields)

{
  "aud": [
    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  ],
  "email": "[email protected]",
  "exp": 1695988880,
  "iat": 1695967280,
  "nbf": 1695967280,
  "iss": "https://xxxxxx.cloudflareaccess.com",
  "type": "app",
  "identity_nonce": "abcdef",
  "sub": "aaaaaaaaaaa",
  "country": "DE"
}

kjohnson1 · October 2, 2023, 6:54pm

Hi from the Access team!

You should be able to get this value using the Get-Identity endpoint which is scoped to a specific application session. Application token · Cloudflare Zero Trust docs

This endpoint is: [applicationDomain]/cdn-cgi/access/get-identity

arenk · October 2, 2023, 7:52pm

Thanks for your reply!

I can confirm that the custom OIDC fields can be accessed using the Get-Identity access point. As some of our most protected apps are heavily restricted in terms of outbound connection permissions, it would be easier if the values are a part of the access token.

Plus, the documentation suggests that this should already be the case:

…enter custom OIDC claims that you wish to add to your Access application token.

So, I’m wondering if there are any plans to implement that in the near future? I understand that due to bandwidth considerations, only a subset of the user’s identity is available. Still, I would assume that values that are explicitly added as custom OIDC claims might need to be accessed quite frequently.

If not, it might be helpful to others to update the documentation accordingly.

Thanks!
Alex

kjohnson1 · October 20, 2023, 3:02pm

Update okta.md by kennyj42 · Pull Request #11389 · cloudflare/cloudflare-docs (github.com) I’ve opened a PR to clear this up. Sorry for the delay! We’ll also consider getting this added to the token optionally in the future, I know that would be easier.

arenk · October 20, 2023, 4:05pm

Thanks!
An option to directly add this to the token would be much appreciated

system · October 23, 2023, 4:06pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.