The strategy decodes the ID token, validates its claims (including aud), and then merges in decoded access-token claims. If both tokens contain the same claim names, the access token values overwrite the ID token values. This makes it impossible for applications to access the original ID token audience (aud) through raw_info, because those values may have been replaced by the access-token versions.
To Reproduce
- Authenticate with Entra ID using the strategy.
- Inspect auth.extra.raw_info.
- Notice that the aud value matches the Microsoft Graph audience (00000003-0000-0000-c000-000000000000) instead of the application’s client ID from the ID token.
- The original ID-token-derived aud is no longer available.
Expected behavior
The original ID token claims should remain accessible to the application (either separately or preserved in raw_info) so applications can rely on them for tenant resolution or additional validation.
Additional context
The strategy correctly validates the ID token audience internally, but applications cannot access that original value because the merged access token data overwrites it. This makes it difficult to use aud (and similar identity claims) for multi-tenant resolution or downstream logic. Exposing ID token claims separately or preventing overwrites for critical fields would help.
The strategy decodes the ID token, validates its claims (including aud), and then merges in decoded access-token claims. If both tokens contain the same claim names, the access token values overwrite the ID token values. This makes it impossible for applications to access the original ID token audience (aud) through raw_info, because those values may have been replaced by the access-token versions.
To Reproduce
Expected behavior
The original ID token claims should remain accessible to the application (either separately or preserved in raw_info) so applications can rely on them for tenant resolution or additional validation.
Additional context
The strategy correctly validates the ID token audience internally, but applications cannot access that original value because the merged access token data overwrites it. This makes it difficult to use aud (and similar identity claims) for multi-tenant resolution or downstream logic. Exposing ID token claims separately or preventing overwrites for critical fields would help.