Setting upn claim in Access token

Question

As part of a project POC, we are trying out some scenarios as Azure AD will be the IDP we will use.

Using the Azure self-service , I registered an application and I am able to generate access tokens using the Azure token endpoints. (Client credential grant)

I am now trying to see if we can get optional claims for Azure AD token (upn claim). I configured and tried testing it. But unfortunately the upn claim is not appearing in the access token. Need help to understand if this can be done.

For client credential grant, is this normally possible to achieve?

Answer 1

Hi @Nirmala D · Thank you for reaching out.

You can NOT get UPN in the token the you acquired by using Client_Credentials flow, because when this flow is used, authentication is done under application context and not under user context. As UPN is a user attribute and not application attribute, it will not be returned in the token acquired in application context.

If you need UPN claim in the token, you will need to use one of the below authentication flows to acquire token under user context:

• Authorization code flow - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
• ROPC flow - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
• Implicit flow - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

I'm implementing the auth code flow next-auth using Azure Ad. It does not return the upn in the access token, but in the id token, it returns.