[Feature Request] Show object ID of the signed in account

jiasli commented 2 years ago

Context

Currently, in order to get the object ID of the signed in account, we have to query Microsoft Graph API:

User account: az ad signed-in-user show
Service principal account: az ad sp show

However, since some tenant (including Microsoft tenant) has Conditional Access policies that block accessing Microsoft Graph with device code (https://github.com/Azure/azure-cli/issues/22629), querying Microsoft Graph API is no longer possible with device code.

Proposed solutions

The result of

az login
az account show
az account list

can show the object ID decoded from the access token.

We can also add a --show-claims parameter to az account get-access-token:

az account get-access-token --show-claims

to decode the access token and show its claims, but his solution is less intuitive.

Manual solution

Object ID can be manually retrieved from the access token:

pip3 install --upgrade pyjwt

az account get-access-token --query accessToken --output tsv |
  tr -d '\n' |
  python3 -c "import jwt, sys; print(jwt.decode(sys.stdin.read(), algorithms=['RS256'], options={'verify_signature': False})['oid'])"

yonzhan commented 2 years ago

Show object ID

subbartt commented 2 years ago

@jiasli , @yonzhan - this won't help our scenario...we use az ad sp show --id command to get the object id of the SPN and not the logged in user which used to work till now.

We are looking for a solution given AppId how to get the object id in the tenant from the current logged in user context.

uthsab commented 2 years ago

@jiasli the mentioned workaround here fetches the object id of the signed in user. We need the object id of the provided sp. Is there a similar workaround for this?

az ad sp show --id "" commands that is

jiasli commented 2 years ago

To get the object ID of another service principal (not the signed in one), the solutions provided in https://github.com/Azure/azure-cli/issues/22629#issuecomment-1138371908 are the only possible ways in Microsoft tenant. This is MSDigital policy. Please see https://portal.microsofticm.com/imp/v3/incidents/details/309117289/home.

jiasli commented 1 year ago

As for decoding the access token, as discussed with MSAL team and Azure architect, OAuth2 protocol treats access tokens as opaque. There is no expectation that clients will understand those. So, we shouldn't decode the access token and extract object ID from it.

User account: ID token can be decoded to extract oid. However, MSAL currently can't expose ID token for each tenant, so we can't get the oid for each tenant.
Service principal: Service principal doesn't have an ID token, so there is no way to get object ID without querying Graph.

subbartt commented 1 year ago

@jiasli, currently we have moved away from this model, so we no longer require this functionality. See on the merit if the scenario is useful and triage accordingly.

Azure / azure-cli