[Feature Request] [2L] Expose tenant profiles in IAccount and ID token claims in the AuthenticationResult
See original GitHub issueIs your feature request related to a problem? Please describe. Several customers want to get the ID token claims in the authentication result. See for instance #2580.
Describe the solution you’d like
- The AuthenticationResult could expose a new method
.GetIdTokenClaims()
returning aClaimsPrincipal
as this is the data structure which is commonly used in .NET - see #2584 - More generally, we’d want that
IAccount
exposesTenantProfiles
- Update API review with .NET and Java design
interface IAccount
{
// current members
/// <summary>
/// Get the information about the account in each tenant, keyed by tenant Id
/// </summary>
IDictionnary<string, ITenantProfile> TenantProfiles { get; }
}
interface ITenantProfile
{
/// <summary>
/// Get object if of the account in this tenant
/// </summary>
public string Oid {get;}
/// <summary>
/// Get the tenant ID
/// </summary>
public string TenantId {get;}
/// <summary>
/// Get the claims of the ID token for the account in this tenant
/// </summary>
public ClaimsPrincipal Claims {get;}
/// <summary>
/// Is the tenant the home tenant of the user?
/// </summary>
public bool IsHomeTenant {get;}
}
Additional context
- Tenant profile is a consistency item … See the API review spec / design for Android: Account & Tenant Profiles
- This is mostly for public client applications, or applications that don’t use ASP.NET / ASP.NET Core as these framework already populate the .User.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Accounts & tenant profiles (Android)
The ID token contains a list of claims. Claims are name/value pairs about the account, and are used to make the request. As...
Read more >OpenID Connect Core 1.0 incorporating errata set 1
The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a...
Read more >Changelog
To make Organizations easier to use, Auth0 now supports using the Organization Name to launch login flows via the Authentication API. More specifically,...
Read more >Using the ID token - Amazon Cognito
The ID token is a JSON Web Token (JWT) that contains claims about the identity of the authenticated user, such as name ,...
Read more >For providing system, method and the medium of identity ...
The first request is sent the first micro services by embodiment, which executes identity management services by generating token.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@neha-bhargava @bgavrilMS What would be the point for us of having a hidden APIs. Our customers want to get the claims.
I would think that, in Java, this is related to the fact that they support front line workers, and have explicitly multi-tenant accounts. In MSAL.NET I’d say, we expose the API directly, and if there is only one tenant, there is only one tenant?
Is there code that I can try out? I see only this branch (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/tree/nebharg/AddTokenIdClaims), but this is pretty old?
Not sure this can be done for Confidential Client due to not checking signatures, continuing discussions offline.