Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Custom signing key Section does not Mention acceptMappedClaims as an alternative #5111
The document mentions that you must use a Custom Signing key, but doesn't mention that you can get around that limitation by simply editing the app manifest to set "acceptMappedClaims" to true. Not only is the latter option much easier to set up and to maintain, and makes ID token validation much easier to do, it is also much more secure because it does not require a symmetric key to be transferred (and possibly stored) on client devices, which seems to be a huge security concern. I think a lot of people are going to go down the wrong path and implement something that is insecure because they didn't realize there was a much easier and secure way to do it.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@chrisetler I just wanted to let you know that first, we are in the process of updating this doc, so a future version should call out using acceptMappedClaims. Second, I verified that it is okay to use acceptMappedClaims if it's an app that is configured on the tenant (as opposed to a multi-tenant app or SAML SP). And if the client side code handles key rolls – since tokens will be signed with the AAD signing key which may roll at any time. If an app uses acceptMappedClaims, it must be careful to handle the issuer validation, to provide proper isolation between tenants (e.g., if tenant 1 sets up a claims mapping to issue UPN == email@example.com, the app must be validating the issuer so that it doesn’t incorrectly provide access to tenant 2’s data). Finally we don't use a symmetric key, it’s an assymmetric key (certificate), so the client just gets the public key, the same as tokens signed using the AAD global signing key.
At this point thank you again for bringing this up as it will help us improve the docs and unless there is anything else I will close this out later today.
I have an app registration with
Am I missing something? And when is the documentation going to get updated? It's been over a year and there is still no mention of
And just to clarify, I have a mobile app where I need an additional mapped claim, meaning I do not have a