Getting claims using MSAL

Vlado 1 Reputation point
2020-12-09T14:34:13.127+00:00

I am using Microsoft.Identity.Claim library to conenct to azure and authencticate user.
My first idea was to use AcquireTokenByIntegratedWindowsAuth method but that requires few days until network administrator people investigate how to enable single sign-in option and change that user are now "federated" and not "managed. So I now switched to AcquireTokenInteractive method because chances are that ure will be logged in, so he will just need to login. To big deal.
And this works:

   string clientId = "xxx";
            var tenantId = "yyy";
              string[] scopes = new string[] { "User.Read", "User.ReadBasic.All"};

        AuthenticationResult result;

        var app = PublicClientApplicationBuilder.Create(clientId)
                                                 .WithRedirectUri("http://localhost")
                                                 .WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Build();
        try
        {
            result = await app.AcquireTokenInteractive(scopes)
                      .ExecuteAsync();
        }
        catch (MsalUiRequiredException) //see all possibl exceptions!
        {

        

However, I don't receive claims inside token.
My idea is to send this token to server, then validate it, and if sucessfull create user in database and then use my own authenication mechanism I use for other users (that are not part of domain, completely separate user).

How to get claims, using this or any other lib given user email, or some other unique data?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,669 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-12-09T17:52:36.213+00:00

    Hello @Vlado , access token will be retrieved in raw format and should be threated like an opaque string. It's meant for the resource (API) to decode it. In your case you're getting an access token for MS Graph which, as other Microsoft APIs, may not be always be decodable. This does not apply to access tokens issued by your own Azure AD APIs (app registrations) or id tokens which are always JWT and can be decoded by many libraries available.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.