Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Roles undefined in idTokenClaims but exist in token

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.22.1

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.3.1

Description

idTokenClaims.roles returns undefined. The claims I get are: aud, exp, iat, iss, name, nbf, nonce, oid, preferred_username, rh, sub, tid, uti, ver … but no roles. When I print the token from msalInstance.acquireTokenSilent and decode it on https://jwt.ms/ I can see the roles I assigned to the account.

MSAL Configuration

export const msalConfig: Configuration = {
  auth: {
    clientId: process.env.REACT_APP_MSAL_CLIENT_ID || "",
    authority: process.env.REACT_APP_MSAL_AUTHORITY,
    redirectUri: process.env.REACT_APP_MSAL_REDIRECT_URL,
  },
  cache: {
    cacheLocation: "sessionStorage",
    storeAuthStateInCookie: false,
  },
};

Relevant Code Snippets

const { accounts, inProgress } = useMsal();
let roles = accounts[0].idTokenClaims.roles; // <-- returns undefined



### Identity Provider

Azure AD / MSA

### Source

External (Customer)

Issue Analytics

State:
Created a year ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

svrooijcommented, May 13, 2022

@NidalGhonaim and if you don’t want to replicate the roles in the client app. You can use the client id of the api in the client app, but I’m not sure what the official policy on that is.

1reaction

derisencommented, May 12, 2022

@NidalGhonaim the resource server (API) should decode and validate the access token, so that’s fine. If you need to adjust the UI based on user’s role then duplicating roles on the client app registration also makes sense (here’s an example doing that).

Top Results From Across the Web

Node: AccountUserInfo.idTokenClaims is undefined ... - GitHub

currentAccount.idTokenClaims.roles ) but idTokenClaims is always undefined, even if I do have the object properly populated with the roles array ...

Cannot see role claims in access token when contacting my ...

As you can see, no claim relating to roles. But note that I can successfully get the role in the user token I...

Access-token is undefined after adding roles after post-login ...

accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles); } };. now if you try to access token it shows it is undefined.

Azure AD authentication & authorization error codes

Learn about the AADSTS error codes that are returned from the Azure AD security token service (STS).

OpenID Connect (OIDC) authorization code flow mechanism

OIDC Code Authentication Mechanism acquires three tokens during the authorization code flow: IDToken, Access Token and Refresh Token. ID Token is always a...