Implicit Grant flow and group membership within ID_TOKEN

Hi,

I recently realized thanks to a colleague @MMeuree, that the ID_TOKEN that’s supposed to contain the group membership as shown below:

idtoken

does not list more than 4 groups (here I grabbed the token using another flow). So, if the user belongs to more than 4 groups, you’re going to see hasgroups: true as part of the token instead of the actual groups. This behavior is by design no matter what you specified in the App manifest with regards to the groupMembershipClaims attribute. So, the alternative is simply to query the Graph API.

Happy Coding!

Advertisements

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure, Azure Active Directory and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s