Optional "upn" claim missed in token requested by console python app

dmim 1 Reputation point
2020-10-01T08:30:38.58+00:00

I 've created console python app as it was described here:
https://learn.microsoft.com/en-us/samples/azure-samples/ms-identity-python-daemon/ms-identity-python-webapp/

I have to have the "upn" claim in token and I have modified manifest accordingly.
But that claim is not appeared in the token.
Is there any working example how to do that?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,008 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,419 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,786 Reputation points Microsoft Employee
    2020-10-01T09:42:15.487+00:00

    Hi @dmim , Thank you for reaching out. The following Python sample uses the client_credential flow of OAuth2.0, which means that it would fetch the Access-Token from AAD in the application's context and then use that access-token to make a graph API call.

    So if you run this python app as it is after downloading, it would go by client-credential flow, and the access-token received by this app from AAD, won't have any user-related claims like upn or email, etc.

    You can check the method called client_credential=config["secret"] in the msal.ConfidentialClientApplication class being passed, which clears that it uses client_credential flwo.

    # Create a preferably long-lived app instance which maintains a token cache.  
    app = msal.ConfidentialClientApplication(  
        config["client_id"], authority=config["authority"],  
        client_credential=config["secret"],  
        # token_cache=...  # Default cache is in memory only.  
                           # You can learn how to use SerializableTokenCache from  
                           # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache  
        )  
    

    To get the user details like upn, email, etc, you would get either an id_token or an access_token in the user's context, and to do that you would have to implement the auth-code-grant flow of OAuth.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.