Getting claims using MSAL

Vlado 1 Reputation point
2020-12-09T14:34:13.127+00:00

I am using Microsoft.Identity.Claim library to conenct to azure and authencticate user.
My first idea was to use AcquireTokenByIntegratedWindowsAuth method but that requires few days until network administrator people investigate how to enable single sign-in option and change that user are now "federated" and not "managed. So I now switched to AcquireTokenInteractive method because chances are that ure will be logged in, so he will just need to login. To big deal.
And this works: 

   string clientId = "xxx";
            var tenantId = "yyy";
              string[] scopes = new string[] { "User.Read", "User.ReadBasic.All"};

        AuthenticationResult result;

        var app = PublicClientApplicationBuilder.Create(clientId)
                                                 .WithRedirectUri("http://localhost")
                                                 .WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Build();
        try
        {
            result = await app.AcquireTokenInteractive(scopes)
                      .ExecuteAsync();
        }
        catch (MsalUiRequiredException) //see all possibl exceptions!
        {

However, I don't receive claims inside token.
My idea is to send this token to server, then validate it, and if sucessfull create user in database and then use my own authenication mechanism I use for other users (that are not part of domain, completely separate user).

How to get claims, using this or any other lib given user email, or some other unique data?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,016 Reputation points
    2020-12-09T17:52:36.213+00:00

    Hello @Vlado , access token will be retrieved in raw format and should be threated like an opaque string. It's meant for the resource (API) to decode it. In your case you're getting an access token for MS Graph which, as other Microsoft APIs, may not be always be decodable. This does not apply to access tokens issued by your own Azure AD APIs (app registrations) or id tokens which are always JWT and can be decoded by many libraries available.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.