I have an angular8 app using the official msal package (not the one for angular, the main one) on the backend I'm authorizing using passport-azure-ad (official microsoft package)
I need to have the user's email address in the IdToken as I can't validate with bearer strategy against access token. I need some way to get that email address either through the UPN or directly.
I have tried 4 different accounts under different AD groups and so far only for 1 AD group it has actually showed an 'email' OR 'upn' field in the idToken.
Permissions configured in the app screenshot.
The options of the login request:
private loginRequest: Msal.AuthenticationParameters = {
scopes: ['user.read', 'email', 'profile', 'openid'],
extraScopesToConsent: ['email']
};
I have tried any variation I can think of, I tried having them starting with capital leters (Email, User.Read) like in the screenshot, I've tried swapping them around scopes & extraScopesToConsent, I've tried putting 'upn' anywhere but no luck.
Would it be possible to either:
A: Get that data somehow in the token B: Get another token I can validate as 'bearer token' with my backend that has that data?
I ended up sending the email in the req body from frontend, then updated my passport strategy to use the request object.