search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.38k stars 339 forks source link

[Bug] TenantProfile contains wrong value for "aud" related to JWT/AccessToken #4802

Closed NETSphereSoft closed 2 months ago

NETSphereSoft commented 3 months ago

Library version used

4.61.3.0

.NET version

.NET Framework 4.6.1

Scenario

PublicClient - desktop app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

Content of Claim "aud" in the AuthenticationResult.Account.GetTenantProfiles() is different from JSON content of AccessToken (JWT). It contains the "azp" value from AccessToken instead the value from "aud".

From TenantProfile.ClaimsPrincipal.Claims image

From decoded AccessToken at https://jwt.io image

Relevant code snippets

String autAud = AuthenticationResult.Account
                                    .GetTenantProfiles()
                                    .SelectMany(tp => tp.ClaimsPrincipal.Claims)
                                    .FirstOrDefault(c => c.Type.Equals("aud"))?
                                    .Value

Expected behavior

Value for Claim "aud" from the AccessToken should be in the TenantProfile.ClaimsPrincipal.Claims collection

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 3 months ago

Hi @NETSphereSoft - the ClaimsPrincipal is created based on the IdToken, not access token. Can you check the ID token please?

Client SDK are not allowed to look inside the access token. "Principal" refers to the user, and the user is represented by the id token.

NETSphereSoft commented 3 months ago

In the IdToken I get the value of 32ca47f6-4656-4c50-9ce1-8391f299d0e3 which refers to Client ID and not like in the AccessToken to App ID.

bgavrilMS commented 3 months ago

This is expected @NETSphereSoft. The ID Token is meant for your app, so the audience is the ClientID of your app. And the access token is meant for a downstream API, so the aud is the client ID of that downstream API.

See https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference and https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

Taking a step back here - what are you trying to do?

NETSphereSoft commented 3 months ago

I wanted to display informations about the AccessToken from the AuthenticationResult to applications using our Entra ID access library (wrapped the AuthenticationResult in and own LoginResult class).

bgavrilMS commented 3 months ago

Applications acquiring tokens should consume the ID token. It is for them. MSAL already parses that as ClaimsPrincipal - maybe forward that.

Access token is for protected web api. Clients are not allowed to parse it. Not all Entra tokens are in JWT format - some are in JWE format (encrypted JWT) and some other formats. Web APIs will know how to interpret and decrypt that.