Below you will find the procedure to set up OAuth2.0 SSO between a test Azure AD SaaS Application and https://JWT.ms to troubleshoot custom OAuth/OIDC tokens claims issuance and transformations.
- In your Azure AD portal, navigate to App registrations and select New registration.
- Give the name to your application, select any supported account types (single tenant selected on the screenshot) and in the Redirect URI select Web and type https://jwt.ms . Register the application.
- After the application is registered, browse to Authentication menu and enable Implicit grant flow for Access and ID tokens. Also allow the public client flow. Save the changes.
- Browse to Token configuration and Add optional claim for ID token. You can select any, for this example we select “ctry”, “family_name”, “given_name” and press Add. Since last two claims require OpenID Connect scopes, the portal going to prompt you to autoconfigure needed API permissions. Select the “Turn on the Microsoft Graph profile permissions” box and press Add.
- Browse to API permissions to see the Configures permissions and Grant Admin consent for this application.
- Now you need to build an application access URL. Fill in the following template (should be one line, broke into lines here to readability):
https://login.microsoftonline.com/<tenantName or ID>/oauth2/v2.0/authorize
?client_id=<AppID of the JWT app you just created>
&scope=<the scopes, separated by + , example openid+profile>
&response_type=<id_token or token>
&prompt=<login or consent> (optional, use login to force re-auth, or consent to force consent>
You can save this link in your browser as a Favorite and add it to the App Hope page under Branding (URL used by users in MyApps portal).
After browsing to the mentioned URL you will be redirected to JWT.ms with the token.