I am trying to implement a custom post login action that writes the user principle name of an ad user to a claim in the id token with the name “user.read”. The token is used with a 3rd party application that I cannot change and this application expects “user.read” as claim name.
I have already configured legacy mode so that I can set custom claims that are not a url, but the dot in the claim name is replaced with a colon, so that the claim name in the id token ends up as “user:read”.
Interesting - While I only tested in a non-legacy tenant (namespaced claim with user.read value), user.read was never transformed to user:read like you are describing. I’ve opened up a ticket internally with to confirm the behavior you are seeing in a legacy context. I will certainly let you know here once I have more information myself!
how did you use a custom claim without a namespace in a non-legacy tenant? My understanding of the documentation was that I would have to switch to legacy to use custom claims without a namespace. That’s the only reason I was using legacy mode. In non-legacy, I don’t see the claim at all in my id token.
Sorry, I should’ve been more clear! I was just curious if we allowed the string ‘user.read’ as a claim value in the non-legacy case or if we for whatever reason transformed it to ‘user:read’ there as well . I still had to set the actual claim to have a namespace. Something like:
