New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retrieving user claims from token #121

Closed
davidmorissette opened this Issue Sep 8, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@davidmorissette

davidmorissette commented Sep 8, 2017

When using B2C, the build-in policies allow us to define which application claims will be added to the token:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

However, I didn't find any proper way to retrieve those claims using the library and I believe claims are an important aspect of oauth2 (not only to B2C).

Are you going to implement some sort of functionality in the future in order to retrieve the claims?

Meanwhile I solved my problem doing this:

class MsalIdToken extends Msal.IdToken {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    constructor(rawIdToken: string) {
        super(rawIdToken);

        const decodedIdToken = Msal.Utils.extractIdToken(rawIdToken);

        if (decodedIdToken) {
            if (decodedIdToken.hasOwnProperty('emails'))
                this.email = decodedIdToken.emails[0];

            if (decodedIdToken.hasOwnProperty('family_name'))
                this.family_name = decodedIdToken.family_name;

            if (decodedIdToken.hasOwnProperty('given_name'))
                this.given_name = decodedIdToken.given_name;

            if (decodedIdToken.hasOwnProperty('objectId'))
                this.objectId = decodedIdToken.objectId;
        }
    }
}

class MsalUser extends Msal.User {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    static createUser(idToken: MsalIdToken, clientInfo: Msal.ClientInfo, authority: string): MsalUser {
        let originalUser = super.createUser(idToken, clientInfo, authority);
        let user = new MsalUser(originalUser.displayableId, originalUser.name, originalUser.identityProvider, originalUser.userIdentifier);

        user.objectId = idToken.objectId;
        user.email = idToken.email;
        user.family_name = idToken.family_name;
        user.given_name = idToken.given_name;

        return user;
    }
}
@DibranMulder

This comment has been minimized.

DibranMulder commented Sep 8, 2017

The token's retrieved from B2C do not contain all the information about the user and its claim or attributes. You should use the Graph API of the underlying Azure Active Directory to query the user for its information.
Please take a look at the .NET sample: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet

I use it in my ASP.net web api backend to retrieve the information of a user.

@davidmorissette

This comment has been minimized.

davidmorissette commented Sep 8, 2017

@DibranMulder You are right when you say that the token does not contain all the information about the user and the Microsoft Graph exists to get that information, stored in other systems, specified in different scopes.

The link you are referring to explain how, for a B2C tenant, it's possible to communicate with the Graph API for an interactive (run-once task) administrator account or an automated task (a service) where the application itself act as a user.

However, B2C put some information about the user (via policies) and it is even possible to add your own custom attributes:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr

Those attributes are contained inside of the tokens out-of-the-box and are easy to retrieve (see my example in my previous comment). In this scenario, the overhead involved in order to get that information by calling the Graph API is not justified.

MSAL should support reading the claims that are already contained in the token.

@navyasric

This comment has been minimized.

Contributor

navyasric commented Sep 23, 2017

@davidmorissette Thank you for the feedback. Currently MSAL does not include claims added in B2C policy because there is no certainty that values will exist for these claims in all id_tokens. Your solution above is a good approach for now.

@davidmorissette

This comment has been minimized.

davidmorissette commented Sep 23, 2017

Thank you for your reply. I was expecting a generic "GetClaim(claimName: string)" method from your framework, nothing specialized. You certainly cannot know the claims contained in the token. Thank you!

@rohitnarula7176

This comment has been minimized.

Member

rohitnarula7176 commented Oct 21, 2017

@davidmorissette Closing this issue for now as it is answered in the thread above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment