Microsoft-authentication-library-for-js: Retrieving user claims from token

Created on 8 Sep 2017 · 5Comments · Source: AzureAD/microsoft-authentication-library-for-js

When using B2C, the build-in policies allow us to define which application claims will be added to the token:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

However, I didn't find any proper way to retrieve those claims using the library and I believe claims are an important aspect of oauth2 (not only to B2C).

Are you going to implement some sort of functionality in the future in order to retrieve the claims?

Meanwhile I solved my problem doing this:

class MsalIdToken extends Msal.IdToken {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    constructor(rawIdToken: string) {
        super(rawIdToken);

        const decodedIdToken = Msal.Utils.extractIdToken(rawIdToken);

        if (decodedIdToken) {
            if (decodedIdToken.hasOwnProperty('emails'))
                this.email = decodedIdToken.emails[0];

            if (decodedIdToken.hasOwnProperty('family_name'))
                this.family_name = decodedIdToken.family_name;

            if (decodedIdToken.hasOwnProperty('given_name'))
                this.given_name = decodedIdToken.given_name;

            if (decodedIdToken.hasOwnProperty('objectId'))
                this.objectId = decodedIdToken.objectId;
        }
    }
}

class MsalUser extends Msal.User {
    objectId: string;
    email: string;
    family_name: string;
    given_name: string;

    static createUser(idToken: MsalIdToken, clientInfo: Msal.ClientInfo, authority: string): MsalUser {
        let originalUser = super.createUser(idToken, clientInfo, authority);
        let user = new MsalUser(originalUser.displayableId, originalUser.name, originalUser.identityProvider, originalUser.userIdentifier);

        user.objectId = idToken.objectId;
        user.email = idToken.email;
        user.family_name = idToken.family_name;
        user.given_name = idToken.given_name;

        return user;
    }
}

enhancement

Source

davidmorissette

👍2

Most helpful comment

Thank you for your reply. I was expecting a generic "GetClaim(claimName: string)" method from your framework, nothing specialized. You certainly cannot know the claims contained in the token. Thank you!

davidmorissette on 23 Sep 2017

👍5 ❤1

All 5 comments

The token's retrieved from B2C do not contain all the information about the user and its claim or attributes. You should use the Graph API of the underlying Azure Active Directory to query the user for its information.
Please take a look at the .NET sample: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet

I use it in my ASP.net web api backend to retrieve the information of a user.

DibranMulder on 8 Sep 2017

👍1

@DibranMulder You are right when you say that the token does not contain all the information about the user and the Microsoft Graph exists to get that information, stored in other systems, specified in different scopes.

The link you are referring to explain how, for a B2C tenant, it's possible to communicate with the Graph API for an interactive (run-once task) administrator account or an automated task (a service) where the application itself act as a user.

However, B2C put some information about the user (via policies) and it is even possible to add your own custom attributes:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr

Those attributes are contained inside of the tokens out-of-the-box and are easy to retrieve (see my example in my previous comment). In this scenario, the overhead involved in order to get that information by calling the Graph API is not justified.

MSAL should support reading the claims that are already contained in the token.

davidmorissette on 8 Sep 2017

👍1

@davidmorissette Thank you for the feedback. Currently MSAL does not include claims added in B2C policy because there is no certainty that values will exist for these claims in all id_tokens. Your solution above is a good approach for now.