During testing authentication flow in Guard for a user token (with overage claims), noticed that it is treated as SPN/Application and failed the authentication
Looks like Microsoft identity platform has changed the format for user tokens and is now setting optional "idtyp" claim. This needs a change in Guard on how we evaluate if the token corresponds to an AAD User or an Application (SPN)
During testing authentication flow in Guard for a user token (with overage claims), noticed that it is treated as SPN/Application and failed the authentication
Looks like Microsoft identity platform has changed the format for user tokens and is now setting optional "idtyp" claim. This needs a change in Guard on how we evaluate if the token corresponds to an AAD User or an Application (SPN)
For more context, "idtyp" claim is used to get the type of token (app, user, device). By default, it's only emitted for app-only tokens (which seems to have changed now) Like all optional claims that affect the access token, the resource in the request must set this optional claim, since resources own the access token https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference#additionalproperties-of-optional-claims