Skip to content

ID token claims overwritten by access token claims, making original aud inaccessible #54

Description

@artinboghosian

The strategy decodes the ID token, validates its claims (including aud), and then merges in decoded access-token claims. If both tokens contain the same claim names, the access token values overwrite the ID token values. This makes it impossible for applications to access the original ID token audience (aud) through raw_info, because those values may have been replaced by the access-token versions.

To Reproduce

  1. Authenticate with Entra ID using the strategy.
  2. Inspect auth.extra.raw_info.
  3. Notice that the aud value matches the Microsoft Graph audience (00000003-0000-0000-c000-000000000000) instead of the application’s client ID from the ID token.
  4. The original ID-token-derived aud is no longer available.

Expected behavior

The original ID token claims should remain accessible to the application (either separately or preserved in raw_info) so applications can rely on them for tenant resolution or additional validation.

Additional context

The strategy correctly validates the ID token audience internally, but applications cannot access that original value because the merged access token data overwrites it. This makes it difficult to use aud (and similar identity claims) for multi-tenant resolution or downstream logic. Exposing ID token claims separately or preventing overwrites for critical fields would help.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions