Hi... I'm integrating my own app with MS SSO and once I authenticate and then get the token from the oauth2 call, I get the token back and decode it, however, there isn't anything identifiable to the user. From the docs, it looks like I should be able to get the verifiedEmail field but only if my token is version 2. I can't seem to figure out how to get the version 2 token and some articles say it doesn't support version 2. So I'm kinda at a loss to understand once they authenticate and I get the token back, how do I match them back to a user in my system?

Are you doing Microsoft EntraId

@gsr, yes.

So what exactly issues are you facing

So, I get the v1 token back and at that point, I know they've authenticated successfully with MS, but I don't really know who they are. i.e. in my database they might be UserID 1234, but how do I know that? The only thing I can see is the upn in the token is my email address, so I suppose I can determine if the UPN is the email address of UserID 1234 in my database, then they must be userID 1234. But the MS docs say the UPN isn't necessarily the email address of the user and could be a phone number or another unique identifier.

If your response contains userid or userprincipalname (upn), you can use the /users/{userid/upn} to fetch the userinfo - there you can find which user it is. https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

Hi @Sathya M, I tried doing this and seem to keep getting this message: "code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience... I can see in the token sent back that the following scopes are available: "scope": "User.Read User.Read.All User.ReadBasic.All"... but when I make the HTTP call to users/{oid} with the access token, I get this Invalid audience message

Include "https://graph.microsoft.com/.default" to the scope value ( "scope": "https://graph.microsoft.com/.default User.Read User.Read.All User.ReadBasic.All". ) while getting the token.

@Sathya M, thanks... it's like 1 step closer 2 steps back... so here's the latest... I added scope and am using the v1.0 endpoints and I can decode the jwt and see my oid and the rest of the claims, however, then I can't make the next call to the graph /users/ endpoint because I get the invalid audience error. If I switch to the v2.0 endpoints for the auth/token requests, then I can call the graph /users/ api fine, however, I can't decode the JWT anymore, so I don't know which user authenticated. I'm using the correct discovery keys endpoint as far as I can tell. I just get signature is invalid.

https://www.linkedin.com/posts/sathyapriya-muthukrishnan-4848a9228_microsoftentra-col[…]221433077760-wAsi?utm_source=share&utm_medium=member_desktop - hope this helps.

@Sathya M, Thanks! That worked with one change. You had <cfset idToken = deserializeJson(...).id_token but id_token was an unsigned JWT. The JWT library I have won't decode that since there's not signature, so I wrote a quick function to get the payload base64 and convert it to a string then deserialize it.

Great!

Here to me problem seems with jwt signature For me I had the issues coming as invalid algorithm because Microsoft told me to do not use client secret So I am still on that and have to fix it