Dasith Wijesiriwardena

Software Engineer | Solutions Architect | Tech Speaker | Geek with an unhealthy fascination for distributed systems and a #microsoftie. Not in that order. I’m currently based in Melbourne and work for Microsoft.

I’ve been developing software for close to 2 decades now. Since my early days of playing with C++, VB, ASP and PHP, software development has gone through a paradigm shift. These days I mostly work on things that run natively on the cloud and edge. Join me on my journey through the world of .NET and all things distributed.

Consider any opinions expressed here as my own.

1 minute read

I am currently working on a project that uses EasyAuth to protect a web app hosted on Azure App Services. Think of it as a layer that operates above your web app that handles authentication and then inserts some special headers with the logged in users information. Your backend web application can read these special headers and extract claims about the user.

The Problem

Out of the box it includes things like name, oid and upn of the logged in user. One thing very noticeably was missing was the email claim. It’s very tempting to treat the upn as the email but they represent two different things in Azure AD.

Solution

optional claims in app manifest

Lucky for us it’s very easy to ask for additional claims from Azure AD. If you haven’t already created an app registration it’s a good time to do it now. (This post is a good place to start if you have EasyAuth in the mix). The solution isn’t specific to EasyAuth though. I have used this method with ADAL.js when implementing the OAuth Implicit Flow as well.

  1. In the Azure Portal open up your app registration.
  2. Click Manifest and proceed to editing it.
  3. Add the following to your optionalClaims section. 
     "optionalClaims": 
{
     "idToken": [
         {
             "name": "email",
             "source": null,
             "essential": true,
             "additionalProperties": []
         }
     ]
 }

    A full list of supported claims can be found in the Microsoft documentation. Take note of what claims are supported in Azure AD 1.0 vs 2.0

  4. Hit Save to persist your changes.

  5. Go to your app to test it out. Make sure you log out of any existing session and log back in to force Azure AD to issue an id token with the new specified claims. You can use jwt.io to decode your new id token and inspect the claims to make sure it worked.

     "email": "dasith.wijes@mycompany.net", // this is the one
 "family_name": "Wijes",
 "given_name": "Dasith",
 "name": "Dasith Wijes",
 "unique_name": "dasith.wijes@mycompany.net", // that's not it
 "upn": "dasith.wijes@mycompnay.net", // not it either
 "ver": "1.0"

That’s pretty much it. Good luck and happy coding.

Leave a comment

You may also enjoy

LLM Prompt Injection Considerations With Tool Use

8 minute read

My team at Microsoft Industry Solutions Engineering have recently been building heaps of LLM based solutions for customers of varying sizes across industries. There are some patterns that are emerging from these solutions and today I wanted to write about a pattern we used at a customer to prevent a class of prompt injection attacks with regards to tool use. Some of it may seem trivial or just common sense from purely a security sense but remember that most teams building these solutions are cross functi...

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools - API Days Australia 2023

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November. I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus. With the renewed focus supply chains attacks and with the supply chain security endorsement by the W...

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...