New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retrieving user claims from token #121

davidmorissette opened this Issue Sep 8, 2017 · 5 comments


None yet
4 participants

davidmorissette commented Sep 8, 2017

When using B2C, the build-in policies allow us to define which application claims will be added to the token:

However, I didn't find any proper way to retrieve those claims using the library and I believe claims are an important aspect of oauth2 (not only to B2C).

Are you going to implement some sort of functionality in the future in order to retrieve the claims?

Meanwhile I solved my problem doing this:

class MsalIdToken extends Msal.IdToken {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    constructor(rawIdToken: string) {

        const decodedIdToken = Msal.Utils.extractIdToken(rawIdToken);

        if (decodedIdToken) {
            if (decodedIdToken.hasOwnProperty('emails'))
       = decodedIdToken.emails[0];

            if (decodedIdToken.hasOwnProperty('family_name'))
                this.family_name = decodedIdToken.family_name;

            if (decodedIdToken.hasOwnProperty('given_name'))
                this.given_name = decodedIdToken.given_name;

            if (decodedIdToken.hasOwnProperty('objectId'))
                this.objectId = decodedIdToken.objectId;

class MsalUser extends Msal.User {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    static createUser(idToken: MsalIdToken, clientInfo: Msal.ClientInfo, authority: string): MsalUser {
        let originalUser = super.createUser(idToken, clientInfo, authority);
        let user = new MsalUser(originalUser.displayableId,, originalUser.identityProvider, originalUser.userIdentifier);

        user.objectId = idToken.objectId; =;
        user.family_name = idToken.family_name;
        user.given_name = idToken.given_name;

        return user;

This comment has been minimized.

DibranMulder commented Sep 8, 2017

The token's retrieved from B2C do not contain all the information about the user and its claim or attributes. You should use the Graph API of the underlying Azure Active Directory to query the user for its information.
Please take a look at the .NET sample:

I use it in my web api backend to retrieve the information of a user.


This comment has been minimized.

davidmorissette commented Sep 8, 2017

@DibranMulder You are right when you say that the token does not contain all the information about the user and the Microsoft Graph exists to get that information, stored in other systems, specified in different scopes.

The link you are referring to explain how, for a B2C tenant, it's possible to communicate with the Graph API for an interactive (run-once task) administrator account or an automated task (a service) where the application itself act as a user.

However, B2C put some information about the user (via policies) and it is even possible to add your own custom attributes:

Those attributes are contained inside of the tokens out-of-the-box and are easy to retrieve (see my example in my previous comment). In this scenario, the overhead involved in order to get that information by calling the Graph API is not justified.

MSAL should support reading the claims that are already contained in the token.


This comment has been minimized.


navyasric commented Sep 23, 2017

@davidmorissette Thank you for the feedback. Currently MSAL does not include claims added in B2C policy because there is no certainty that values will exist for these claims in all id_tokens. Your solution above is a good approach for now.


This comment has been minimized.

davidmorissette commented Sep 23, 2017

Thank you for your reply. I was expecting a generic "GetClaim(claimName: string)" method from your framework, nothing specialized. You certainly cannot know the claims contained in the token. Thank you!


This comment has been minimized.


rohitnarula7176 commented Oct 21, 2017

@davidmorissette Closing this issue for now as it is answered in the thread above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment