Requesting custom claims

OpenID Connect defines the claims Authorization Request parameter to enable requesting individual Claims and specifying parameters that apply to the requested Claims. See more details in OpenID Connect Core 1.0.

MSAL provides an interactive API to pass the claims Authorization Request parameter.

This might be necessary in various situations. For example, claims challenges could be issued by the resource when the access token is used for accessing the resource.

In such a case, an interactive acquire token call is needed to pass the claims challenge to server. MSAL provides the following API which accepts claims challenge for class MSALPublicClientApplication:

- (void)acquireTokenForScopes:(NSArray<NSString *> *)scopes
         extraScopesToConsent:(NSArray<NSString *> *)extraScopesToConsent
                      account:(MSALAccount *)account
                   uiBehavior:(MSALUIBehavior)uiBehavior
         extraQueryParameters:(NSDictionary <NSString *, NSString *> *)extraQueryParameters
                       claims:(NSString *)claims
                    authority:(NSString *)authority
                correlationId:(NSUUID *)correlationId
              completionBlock:(MSALCompletionBlock)completionBlock;

The claims parameter value is represented in an OAuth 2.0 request as UTF-8 encoded JSON. MSAL expects the claims string to be URL encoded.

Example:

[application acquireTokenForScopes:@[@"user.read"]
                  extraScopesToConsent:nil
                               account:account
                            uiBehavior:MSALUIBehaviorDefault
                  extraQueryParameters:nil
                                claims:@"%7B%22access_token%22%3A%7B%22deviceid%22%3A%7B%22essential%22%3Atrue%7D%7D%7D"
                             authority:nil
                         correlationId:nil
                       completionBlock:^(MSALResult *result, NSError *error) {

                           // TODO: handle result or error
    }];