Closed NETSphereSoft closed 2 months ago
Hi @NETSphereSoft - the ClaimsPrincipal is created based on the IdToken, not access token. Can you check the ID token please?
Client SDK are not allowed to look inside the access token. "Principal" refers to the user, and the user is represented by the id token.
In the IdToken
I get the value of 32ca47f6-4656-4c50-9ce1-8391f299d0e3
which refers to Client ID and not like in the AccessToken
to App ID.
This is expected @NETSphereSoft. The ID Token is meant for your app, so the audience is the ClientID of your app. And the access token is meant for a downstream API, so the aud is the client ID of that downstream API.
See https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference and https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
Taking a step back here - what are you trying to do?
I wanted to display informations about the AccessToken
from the AuthenticationResult
to applications using our Entra ID access library (wrapped the AuthenticationResult
in and own LoginResult
class).
Applications acquiring tokens should consume the ID token. It is for them. MSAL already parses that as ClaimsPrincipal - maybe forward that.
Access token is for protected web api. Clients are not allowed to parse it. Not all Entra tokens are in JWT format - some are in JWE format (encrypted JWT) and some other formats. Web APIs will know how to interpret and decrypt that.
Library version used
4.61.3.0
.NET version
.NET Framework 4.6.1
Scenario
PublicClient - desktop app
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Content of
Claim
"aud" in theAuthenticationResult
.Account
.GetTenantProfiles()
is different from JSON content ofAccessToken
(JWT). It contains the "azp" value fromAccessToken
instead the value from "aud".PublicClientApplication
Claim
"aud" fromAuthenticationResult
.Account
.GetTenantProfiles()
AuthenticationResult
.AccessToken
at https://jwt.ioFrom
TenantProfile
.ClaimsPrincipal
.Claims
From decoded
AccessToken
at https://jwt.ioRelevant code snippets
Expected behavior
Value for
Claim
"aud" from theAccessToken
should be in theTenantProfile
.ClaimsPrincipal
.Claims
collectionIdentity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response