I am trying to implement a custom post login action that writes the user principle name of an ad user to a claim in the id token with the name “user.read”. The token is used with a 3rd party application that I cannot change and this application expects “user.read” as claim name.
api.idToken.setCustomClaim('user.read', user.userPrincipalName);
I have already configured legacy mode so that I can set custom claims that are not a url, but the dot in the claim name is replaced with a colon, so that the claim name in the id token ends up as “user:read”.
How can I set a claim named “user.read”?
Hi there @m.raacke welcome to the community!
Interesting - While I only tested in a non-legacy tenant (namespaced claim with user.read
value), user.read
was never transformed to user:read
like you are describing. I’ve opened up a ticket internally with to confirm the behavior you are seeing in a legacy context. I will certainly let you know here once I have more information myself!
Thanks for your patience 
Hello @ty.frith ,
how did you use a custom claim without a namespace in a non-legacy tenant? My understanding of the documentation was that I would have to switch to legacy to use custom claims without a namespace. That’s the only reason I was using legacy mode. In non-legacy, I don’t see the claim at all in my id token.
Thanks
Mathias
Sorry, I should’ve been more clear! I was just curious if we allowed the string ‘user.read’ as a claim value in the non-legacy case or if we for whatever reason transformed it to ‘user:read’ there as well . I still had to set the actual claim to have a namespace. Something like:
api.idToken.setCustomClaim('https://example.com/test', 'user.read');