BREAKING: Treating the User Principal Name as an email address is now opt-in #37
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, if the Graph API did not return a value in the
mail
field, the User Principal Name (UPN) would be substituted automatically. This was beneficial for those who follow the recommended convention of having the UPN be the same as the email address.However, the UPN does not always reflect the user's email address and can be changed by an administrator.
To avoid consuming applications blindly relying on an assumption that UPN and email is always the same, this behavior is now opt-in. If a valid email is found in the
mail
field, it will be added to theemails
array in the Passport.js profile. If the new option,addUPNAsEmail
, is set totrue
in the configuration, the UPN will be added into theemails
array as well. This means there could be a scenario where zero, one, or two email address are found in the profile'semails
field.For those who wish to maintain the semantic separation of email and UPN, the UPN is also available now as a separate property on the profile,
userPrincipalName
.On a related note, it is not recommended for applications to use one of the emails or the UPN as a user identifier, as these values can be changed and are not guaranteed to represent a stable identity. Instead, use the
id
field.