BFF, Access Token & Custom Claims

[buzzripper]

Can the BFF framework do anything to help me add custom claims to the access tokens? I realize that's not its main mission, but looking to see if it has anything related to access tokens. I'm planning on using Azure Entra ID External for my IdP, but looking for a way to augment the access token without resorting to Entra's "token issuance event", which seems to be quite complex.

I'm still in the planning stages, so I'm to any and all ideas. Thanks!

[Erwinvandervalk]

Hi Buzzripper,

Sorry, you can't use the BFF for that. The bff only requests access token from your IDP, then forwards them on to your target api's.

You can use the BFF to add additional claims to the currently logged in user (when using local api's) but not when calling remote api's.

If you're using entra ID as your IDP, I suggest looking at this guide to see how you can add additional claims to access tokens:

https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui

[buzzripper]

Thanks Erwin. That link is good, but i'm looking for a more dynamic method for adding claims (i.e. coming from my application/database). The Entra 'custom claims provider' (token issuance event) does just that by calling into my API at the time of issuance, to get additional claims. It's just a bit complex and I was just wondering if there were any easier ways to tackle this, that's all. But I'm pretty sure any other options are no easier lol!

Thanks! Btw just listened to your Dotnet Rocks podcast, great job!