►
Description
In this month's Microsoft identity platform community call, Kyle Marsh, Principal Program Manager at Microsoft, shared the golden rules for tokens:
-Use tokens only for their intended function
-Never mess with someone else's tokens
-Cache the tokens appropriately
-Check for error classes instead of search for specific error codes
ID Tokens - https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Access Tokens - https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
More on Microsoft identity platform for developers - https://developer.microsoft.com/en-us/identity
A
What
I'd
like
to
do
is
this
walk
through
some
some
token
scenarios,
if
you
will
or
things
ways
that
I've
seen
tokens
being
used
or
asked
about
tokens?
The
first
thing
that
was
brought
up
just
the
other
day
was:
what's
the
the
very
minimum
amount
of
information
that
we
could
have?
In
a
token
that's
used
from
from
Microsoft
identity.
So
let
me
just
clear
off
a
couple
of
things
here.
So
what
we're
going
to
do
here
is
just
get
the
very
minimum
amount
of
information
in
an
I
and
an
ID
token.
A
So,
let's
go
ahead
here
and
I'm
going
to
use
the
protocol
here,
I'm
just
going
to
use
Open,
ID
Connect
and
the
only
scope
I'm
asking
for
here
is
open,
ID,
so
open
ID
Connect
is
a
standard
built
on
top
of
OAuth
2
that
you
can
use
for
authentication
and
that's
what
we
build
an
awful
lot
of
our
authentication
inside
of
Microsoft
identity
on
it's
our
volume
leader.
If
you
will,
we
also
support,
of
course,
sam'l
and
WS
fat,
but
for
new
applications.
A
We
we
always
talk
about
open
ID
connect,
so
I'm
going
to
go
ahead
and
use
an
open,
ID
connect
request
here
to
sign
any
user
now.
This
is
the
very
first
time
this
application
has
been
used.
I
just
recently
deleted
the
service
principle,
so
no
one's
used
this
application
up
till
now,
so
we'll
see
some
consent
prompts,
and
this
is
the
very
basic
information
you
see.
There's
two
permissions
that
that
are
here.
The
first
one
is
maintain
my
access
and
view
my
basic
profile.
A
So
all
I've
asked
here
here
is
to
authenticate
the
user,
so
my
permissions
are
going
to
be
very
minimal
here.
I
can
view
my
profile
but
I'm,
actually
not
asking
for
permission
to
see
Mike
to
access
Microsoft
graph
I
wouldn't
see
that
at
my
access
token,
but
or
my
ID
token
rather
but
I'm
just
gonna
get
the
absolute
minimum
amount
of
information.
Now.
A
One
of
the
thing
you
can
do
if
you
want
to
make
yourself
sort
of
a
token
viewers,
so
you
can
look
at
various
scopes
that
you
request
in
your
tokens
to
see
what
the
outcome
is
is
to
have
your
application.
Redirect
a
web-based
application
like
this.
It's
using
implicit
flow
simply
redirect
to
the
JW
TMS
site,
and
we
will
take
the
token,
as
you
can
see
up
here
in
the
address
bar.
This
link
has
an
ID
token
in
it.
A
So
we,
the
JWT,
MS
site,
will
grab
that
token,
put
it
into
its
text
box
here
and
and
and
look
at
my
decoded.
So
it's
a
it's
a
quick
and
easy
way
if
you
want
so
to
do
a
quick
view
of
a
token
now.
This
is
the
bare
minimum
that
we
would
provide
for
on
authentication.
So
the
only
thing
I
asked
to
do
was
sign
in
the
user.
So
the
only
scope
in
this
request
was
open.
A
Id,
and
this
is
the
information
I
do
have
identifiable
information
about
the
user
in
that
I
can
see
this
subject
claim
su,
be
the
subject
claim
and
that's
a
unique
identifier
for
this
user
for
this
application.
So
the
same
user
uses
a
different
application.
It
would
be
a
different
subject
claim,
but
here
I
can
see
that
I
can
see
the
subject
of
the
claim
so
I
know
each
user
uniquely
to
my
application.
A
I
also,
of
course,
can
see
the
tenant
I
get
that
both
from
who
issued
the
token
it
came
from
a
particular
dependent
issuer
and
I
see
that
tenant
ID
here
as
well,
and
this
is
the
absolute
minimum
information
now.
This
is
a
great
token
if
all
you
wanted
to
drive
was
make
sure
that
you
were
driving
toward
ultimate
privacy.
This
particular
company
was
being
asked
by
its
European
Union
workers
council
to
to
make
information
about
their
even
their
internal
users,
minimally
available
to
other
processes
within
their
organization.
A
So
internal
line
of
business
apps,
if
you
will-
and
this
would
provide
a
great
privacy
option
now-
I
will
point
out.
This
is
not
something
that
we
default
in
in
our
M
saw.
Libraries
M
saw
we
always
a
tag
on
additional
open,
ID
connect
scope,
which
is
profile
so,
if
I
assign
this
user
in
using
the
profile
up
as
well,
so
this
would
be
open,
ID
and
profile.
I
will
get
some
additional
information.
Key
amongst
these
is
the
object
ID.
A
A
So
this
does
allow
multiple
applications
to
know
that
they're
working
with
the
same
user
additionally
I
get
some
other
claims
here.
I
get
a
name
claim
and
a
preferred
username
claim
those
are
things
that
might
change
over
time.
Users
could
change
either.
One
of
those
and
that
if
they
are
sort
of
you
things
that
that
duper
cross
multiple
boundaries
for
as
far
as
applications.
A
We
also
have
the
email,
open,
ID,
Connect
claim
so
I'll
sign
the
user
in
using
that,
in
this
case
notice
that
I
dropped
the
profile
information,
so
I
no
longer
have
that
that
object,
ID
the
unique
across
all
apps
identifier,
but
I-
do
have
an
email
identifier,
but
well
that
might
be
unique
across
apps.
It's
not
a
great
identifier
to
use
as
a
key,
since
that's
a
changeable
object
right
that
claim.
I
can
change
my
email
tomorrow
and
then
you'd
think
I
have
a
different
user.
A
Although
the
subject,
of
course
what
would
remain
so
those
are
the
the
basic
tokens
that
open
ID
provides
that
are
least
dictated
by
the
Open
ID
Connect
spec.
These
are
these,
these
particular
scopes.
Open,
ID,
profile
and
email
are
are
done
by
there,
and
these
are
the
sort
of
absolute
minimum.
If
you
will,
if
you
are
looking
to
drive
privacy
within
your
organization,
there
is
one
more
I'll
quickly
do
here.
That
I
could
of
course,
sign
in
with
all
three
of
those
scopes.
A
So
this
is
open,
ID,
email
and
profile,
and
in
this
case
you
do
see
all
of
that
information
that
that
is
baseline.
If
you
will
notice
at
no
point
between
any
of
those
prompts
I
signed
in
now,
three
four
different
ways:
open
ID
Connect
on
its
own-
that
was
the
first
time
this
application
was
used.
I
got
a
permission,
can
and
requests
to
see
my
basic
profile
information,
but
then
from
whether
or
not
the
application
asked
to
just
see
profile
or
just
see,
email
or
email
and
profile.
A
We
consider
that
all
a
single
permission,
so
the
user
isn't
prompted
if
you
just
change
from
I
want
it's
just
email
to
email
and
profile.
The
user
isn't
isn't
prompted
as
an
additional
consent,
because
we
see
that
as
all
the
the
first
part
of
the
basic
consent,
the
basic
profile
information.
So
this
is
a
way
if
you
were
trying
to
drive
additional
privacy
or
concerns
of
access
to
information
within
your
organization,
and
you
all
you
needed
to
do
if
I
sent
Achatz
the
user.
A
These
are
some
claims
that
are
tokens
that
you
can
do
just
to
see
that.
So
let
me
take
a
look
I'm
going
to
jump
over
to
a
an
application
here
and
look
at
a
couple
of
other
authentications.
So
in
this
case
this
application-
that's
me
fiddle
around
with
the
various
scopes
that
I'm
going
to
use
for
signing
in,
in
this
case,
I'm
going
to
ask
for
no
additional
scopes,
and
this
this
application
does
use
em
salt
net.
A
So
we'll
see
what
what
I
get
from
a
token,
where
I'm
asking
for
no
scopes
when
I
sign
in
well,
what
M
saw
will
default
in
for
me,
so
let's
go
ahead
and
sign
in
will
sign
in
that
same
user
again.
So
this
is
the
user
we
used
on
the
web
pages
and
we
see
the
without
action
for
in
any
additional
scopes.
I
see
an
object.
Id
I,
see
a
name
I
see
the
preferred
username,
of
course,
the
same
subject
I'm
using
the
same
application
identifier
here.
A
A
A
So
this
lets
my
application
as
a
developer
start
to
say
well,
I'd
like
to
see
various
other
information
about
the
user.
In
the
token,
let's
take
a
look
at
some
of
the
different
ways
that
that
these
users
might
manifest
themselves
so
I'm,
going
to
sign
out
of
this
application
for
the
the
corporate
user
I've
been
using
notice
I'm
using
the
common
endpoint.
So
this
means
I'm
taking
any
user
from
whether
they
have
a
Microsoft
corporate
account
or
they
have
a
Microsoft
consumer
account
like
Outlook,
etc.
A
I'm
gonna
go
back
to
asking
for
nothing
in
the
sign-in
scope,
so
I
signed
the
user
out
of
the
app
and
it's
finding
the
user,
but
this
time
I'm
gonna
go
ahead
and
sign
in
a
user
from
my
Microsoft
account
a
personal
account,
so
we'll
go
ahead
here
and
sign
in
now
again.
This
is
the
first
time
this
user
has
ever
seen
this
application.
So
I
I'm
being
asked
if
I
trust
the
developer.
A
With
this
information
again,
it's
viewing
my
basic
profile,
because
I
haven't
asked
for
any
additional
scopes
and
now
I
will
go
ahead
and
grant
that
consent,
and
here
we
can
see
that
I
get
again,
that
very
basic
level
of
information.
I
have
a
name:
I
have
a
preferred.
Username
and
I
have
an
object.
Id
for
this
tenant.
Now
this
particular
tenant
9,
1
8,
is
telling
me
that
this
user
is
coming
from
a
Microsoft
consumer
account.
So
this
token
is
issued
for
this
user
for
this
particular
as
their
Microsoft
identity
themselves.
A
So
I'm
accessing
this
application
as
a
consumer
I'll
go
ahead
to
sign
that
these
are
out
of
this
app
as
a
consumer
and
now,
even
though
this
is
a
multi-tenant
app
I'm,
given
choices
about
how
I
can
sign
a
user
in
so,
for
example,
I
could
say,
I
only
want
consumers
or
they
only
want
people
with
business
accounts.
But
in
this
case
I'm
gonna
sign
this
user
in
I'm,
gonna
sign
in
and
I'm
gonna
say:
I
want
only
users
from
this
particular
tenant.
A
So
a
multi-tenant
account
allows
me
as
a
developer,
to
get
users
from
any
tenant
or
all
Microsoft
consumer
accounts.
If
that's
what
I
choose
but
I
can
also,
even
though
it's
a
multi
tenant
registration,
say
I'm
signing
in
a
user
from
a
particular
tenant
only
and
I
can
assign
it
in
that
same
user,
and
in
this
case
so
we'll
go
back
here
and
we'll
pick.
Try
our
demo
as
the
consumer
account
and
now
interesting
that
this
user
is
being
shown
this
application
again.
That's
because
I'm
signing
in
from
this
particular
tenant.
A
So
it's
what's
happening
here
is
I'm
not
signing
in
Kyle
from
his
Court
is
consumer
account
I'm
signing
in
Kyle
from
this
particular
tenant.
Now
it
turns
out
that
Kyle
from
this
particular
tenant
has
an
identity,
that's
being
authenticated
back
to
his
a
consumer
account.
So
what
that
tells
me
as
a
developer
is
this?
Is
a
guest
user
in
this
tenant,
so
I
only
want
users
from
a
particular
tenant,
but
so
that
allows
anyone
who
has
an
identity
in
that
tenant?
A
And
in
this
case
my
consumer
account,
has
an
identity
in
this
tenant
as
a
guest,
so
notice
that
that
they're
different
values
and
the
claims
here
so
instead
of
my
Kyle
Marsh
I've
got
my
name
Kyle
from
Outlook.
That's
showing
me
that
I'm
coming
from
that
the
name
I've
used
inside
of
this
tenant
is
that
I'm
coming
from
my
consumer
account
it's
a
different
subject,
even
though
it's
the
same
person
and
I'm
using
the
same
authentication
provider,
it's
a
different
subject,
because
it's
not
Kyle
as
a
consumer.
A
It's
Kyle
as
a
guest
in
this
tenant
and
it's
the
guest
in
this
tenant.
That's
controlling
my
access
to
the
various
resources
that
this
tenant
provides.
One
other
way
that
I
could
see
that
this
now
most
of
the
information
I'm
looking
at
here
doesn't
tell
me
necessarily
that
this
user
is
a
guest
right.
Everybody
has
a
name.
Everybody
has
an
object.
Id
issued
from
this
particular
tenant,
where
I
can
see
that
this
user
is
a
guest.
Is
that
I
also
have
an
IDP
claim?
A
In
this
token,
this
is
telling
me
that
this
user
is
actually
home
diff
you
will
or
doing
their
authentication
they
and
password
or
password
lissa,
nfa,
etc,
is
coming
from
their
home
tenant,
where
my
authentication
provider
really
is
so
here.
I
can
see
that
I'm
at
my
IDP
in
this
case
is
a
Microsoft
consumer
tenant.
So
this
is
telling
me
this
user
is
a
guest
here.
If
I
had
a
another
Microsoft
consumer
account
or
a
enterprise
account
I
would
see
a
different
IDP
provider.
A
Now
that
may
not
be
interesting
to
most
developers
because
it
is
I
think
it's
fairly
rare
for
a
developer
to
say:
I
need
to
operate
differently.
If
this
user
is
a
guest,
now
there
may
be
part
may
be,
your
application
does
need
to
know
that
a
user
is
a
guest
and
should
therefore
only
have
some
functionality,
but
in
general
you
would
be
able
to
just
see
that
information
there
I
can
pop
back
over
to
the
web
page
again
and
go
ahead
and
sign
in
a
user.
A
Anyone
tell
me
what,
when
I
sign
in
I'm,
just
gonna
go
ahead
and
get
my
open
ID
profile
here.
Anyone
wanna
tell
me
what
this
token
is
telling
me
about
the
user.
You
can
chime
in
on
the
on
the
text
or
go
ahead
and
text
text
in
yeah,
so
Google
is
the
IDP,
so
this
particular
user
is
coming
from
Google
as
a
guest
in
this
tenant,
so
I'm
still
signing
in
so
my
issuer
here
is
a
Microsoft
corporate
tenant.
There's
my
c72!
That's
my
little
demo
tenant
here
and
yes,
this
user
is
a
guest.
A
I
can
see
he's
coming.
He
has
an
IDP,
so
he's
not
natively
authenticating
here
in
this
tenant
and
he
happens
to
be
authenticating
to
Google,
and
every
of
the
other
information
I
would
have
I.
Have
an
object,
ID,
well,
I
didn't
ask
for
an
object
ID.
Then
we
go
and
ask
for
profile
here
so
that
I
get
an
object.
Id
there's
my
object:
ID,
because
I
only
ask
for
Open,
ID
Connect
I
didn't
get
an
object
if
use
our
M
saw
or
default
in
what
would
it
do
to
our
own
profile?
A
So
there's
my
object,
ID,
etc
all
right.
So
this
tells
me
that
this
user
is
coming
from
a
guest
tenant.
So
there
is
a
question
about
the
little
demo
app
I'm
using
that
toy
up
yeah.
It's
up
on
github
all
I'll
post,
a
link
to
it
at
the
end
of
the
meeting,
but
the
these
web
pages
here
are
just
links,
links
for
the
repo
the
redirect
URI
is
JW.
Cms
I
can
certainly
post.
These
particular
queries
are
responses.
If
you
want,
for
example,
you
can
see
one
here.
A
It's
just
a
regular
h2o
fan,
ID
connect,
string,
I'll,
certainly
happy
to
post
those
as
well.
All
the
changes
between
these
particular
links
is
simply
the
Scopes
that
we
put
on
the
request.
Unfortunately,
can't
see
it
in
the
expansion
there,
but
that's
all
that
we're
changing
here
between
those,
so
that
lets
me
see
what
I
can
that,
if
I
needed
to
determine
if
a
user
was
a
guest
I
can
also
by
the
way.
Let
me
look
at
the
token
response
here
here.
In
the
token
response,
I
can
also
get
this
information.
A
That
token
response
is
a
great
place
to
get
debugging
information
and
additional
information
as
you're
trying
to
troubleshoot
here
I
can
see
that
the
users
home
account
identifier,
is
this
particular
tenant.
So
here
I
can
see
it's
also
a
consumer
account
I
get
the
users
email,
the
token
expiration,
the
correlation
ID
again
a
great
thing
for
you
to
be
logging
so
that
we
can
understand
any
area
of
a
particular
transaction
and
then,
of
course,
I've
got
the
the
actual,
unique
identifier,
the
object,
ID
and
tenant
ID
that
the
user
there.
A
So
the
the
the
token
response
is
always
a
great
place
to
get
that
information.
Let's
see
so
yeah,
so
I
guest
users.
Let
me
go
back
to
my
Google
guest
user
cuz.
There's
a
question
about
the
email:
I
didn't
ask
for
email.
So,
as
we
talked
about
the
beginning,
in
this
case,
I'm
driving
it
through
open,
ID
Connect.
So
my
open,
ID
Connect,
open
ID
link
is
only
asking
for
the
very
minimum
information.
I,
don't
even
have
an
object.
A
So
let's
do
that
as
if
I
was
using
M
saw
here
and
here
I
will
get
an
email
as
long
as
the
system
understands
what
you
know
for
this
user
is
so
email
is
not
something
that's
on
by
default,
but
if
you
use
M
saw
we
default
in
profile,
we
all
we
default
in
open,
ID
and
profile
when
ever
use
em.
So
I
specifically
wanted
to
call
that
out
here,
as
that
I
wasn't
planning
on
drilling
into
any
access
tokens
here.
A
Although
the
the
claim
values
here
are
much
the
same,
whether
they
sent
to
an
access
or
an
ID
token,
we
could
look
at
those,
but
if
we
get
time
at
the
end,
I
could
try
to
adjust
for
that.
Let's
see,
I've
got
another
question
here:
I'm,
not
sure
what
is
it
on
by
default
I'm,
if
that's
referring
to
email
email
is
not
on
by
default,
you
have
to
ask
for
it
one
way
or
another,
and
yes,
I'm
gonna
get
some
custom
custom
organization
of
these
of
these
tokens
in
just
a
minute.
A
So
let's
go
back
to
our
little
app,
so
you've
seen
here
that
I
can
sign
in
the
user
as
a
guest
as
well,
both
in
our
webpage
and
here
and
I
can
see
different
different
responses
because
of
that,
so,
let's
go
back
to
so
now.
Let's
go
back
to
our
app
registration,
so
here's
the
application
registration
for
our
little
token
trick
app.
What
I'm
going
to
do
now
is
take
a
look
at
our
token
configuration
preview
which
allows
us
to
start
adding
some
custom
custom
capabilities
for
our
token,
without
having
to
go.
A
What
we've
been
doing
before
was
requiring
you
to
go
and
edit
the
manifest.
So
let's
look
at
the
optional
claims
that
are
available,
so
the
first
thing
is
going
to
ask
me:
is
whether
I'm
asking
for
the
optional
kinds
that
are
going
to
be
in
my
ID
or
access
token,
since
I'm
set
up
to
do
ID
tokens
right
now,
let's
go
ahead
and
pick
that,
and
here
you
can
see.
I
could
have
asked
for
email
to
be
part
of
a
custom
claim
through
this
process.
A
I
could
also
ask
for
these
additional
values
like
family
name,
given
name
and
Sid
session
ID.
So
let's
go
ahead
and
add
those
since
well
just
actually
well,
we
can
add
email,
although
already
asking
for
that
we'll
go
ahead
and
add
that
in
so
now
it's
a
these
are
available
as
custom
claims.
So
let
me
go
back
to
my
application.
I'll
sign
out
this
user
and
let's
go
ahead
here
and
we'll
sign
in
let's
sign
in
my
corporate
user
again.
A
Sometimes
it
takes
a
minute
for
this
to
propagate.
So,
let's
see,
if
we
have
oh
here,
we
are,
we've
got
our
email.
Of
course,
there's
my
family
name
and
given
name
as
well
as
my
my
SID,
so
if
I
wanted
to
these
custom
claims
one
way
to
easily
do
that
now
is
with
our
preview
functionality
here
in
token
configuration.
So
that's
one
thing,
I
can
add
some
some
optional
claims.
Another
thing
I
can
look
at
is
let
me
go
here.
A
We
do
have
a
list
of
optional
claims
available
as
well
in
the
documentation,
so
you
can
come
in
and
we
will
provide
and
see
how
I'm
gonna
get
our
optional
claims.
These
are
all
the
various
other
optional
claims
that
you
can
ask
for
some
of
these
we've
built
into
the
UI
already
some
of
them
might
still
be
coming.
The
other
option
here
is
that
I
could
go
to
my
application.
Registration
and
I
could
have
looked
if
I
go
here.
That's
cancel
out
of
that.
A
I'll
come
down
here
to
the
manifest,
and
you
can
see
how
we've
been
adding
the
optional
claims
into
the
manifest
down
here
here
are
my
optional
claims.
I
want
them
in
my
ad
token,
and
I
could
do
some
additional
claims
from
this
list
in
that
same
process.
So
if
we
don't
have
it
already
built
into
the
UI,
you
can
go
in
and
add
some
more
given
the
information
here
on
the
optional
claim
list.
A
So
that
lets
me
add
some.
So
now,
we've
added
these
optional
claims.
Let's
do
another
round
here
we'll
go
back
to
the
the
registration,
our
token
configuration
preview,
so
one
is
optional
claim
straight
up.
The
other
one
is
to
help
add
for
the
group's
claim.
So
there's
some
interesting
capabilities.
Again,
we
do
have
a
link
to
the
documentation,
so
you
can
jump
right
out
to
it.
We're
going
to
customize
our
ID
token.
So
the
first
choice
we
get
is
what
kind
of
director
of
groups
am
I
looking
for.
A
Do
I
want
just
security
group,
so
I
went
all
groups
and
do
I'd
want
directory
roles
or
not.
Let's
go
ahead
and
start
with
just
security
groups,
and
here
I
have
a
choice
of
what
identifiers
I
want
to
see
now.
I'm
gonna
leave
it
a
group
ID,
because
a
the
s,
a
as
Sam
account
names
require
when
things
come
from
on-premise
I'm,
my
domain
and
my
tenant
here
is
cloud
only
but
I
will
so
let
me
go
first
and
I'm
just
gonna.
Take
a
look
at
this
group
claim
so
I'll.
A
Add
that
so
now,
I've
added
the
request
now
I
can
ask
for
these
to
appear
in
either
access
or
ID
tokens.
So
it's
it's
easy
for
you
to
depending
upon
where
you
expect
to
get
the
token
whether
you're,
an
API
provider,
expect
to
see
it
in
an
access
token
or
whether
you're
an
application
and
expect
to
see
it
in
your
ID
token,
can
you
community
manipulate
both
of
those?
So
let's
go
back
to
I'll,
go
ahead
and
sign
out
this
user
we're
going
to
sign
back
in
again
we'll
take
the
corporate
identity.
A
We'll
get
our
new
ID
token
here,
and
we
should
see
a
and
C.
What
am
I
I'm
Kyle
at
Microsoft
identity,
so
I
should
have
groups.
Let
me
go
ahead
and
check
that
so
that
sign
out
again,
sometimes
it
does
take
a
moment
for
this
to
propagate
I,
noticed
that
last
night,
let's
see
we
got
our
groups
sure
we
got
this
in
we're
gonna
go
to
the
group
ID,
okay
and
let's
go
ahead
and
run
that
again.
A
B
A
A
The
other
way
is
that
I
can
say
instead
of
seeing
groups
as
a
I'd
like
to
convert
these
into
to
being
roles
directly
yeah.
So
we
do
see
the
conversion
to
role
so
here
I
can
see
that
I
have
roles
that
are
effectively
group
identifiers.
So
this
is
one
way
for
you
to
say:
I
I
know
which
groups
the
user,
my
groups
I
understand
which
groups
will
apply
to
which
roles.
It's
just
a
way
for
you
to
decide
whether
you
as
a
developer,
want
to
process
this
off
of
a
groups
claim
or
a
roles
claim.
A
It
is
given
to
you
as
a
choice,
is
either
one.
So
let's
go
ahead
and
I'm
gonna
show
one
one
one
other
thing
here
with
with
groups,
though
there
is
issues
with
groups
that
you
should
be
aware
of.
That
is
that
we
do
have
a
token
growth
concern
with
groups
in
terms
of
how
many
groups,
you
might
be
a
part
of
now
Kyle
at
Microsoft
identity,
that
dev
isn't
a
member
of
any
particular
number
of
group.
There's
only
a
couple
there.
A
So
actually
so
here
again,
this
is
I
signed
in
this
user,
but
I've
signed
in
this
user
from
this
particular
tenant.
So
Kyle
for
Microsoft
here
is
only
seen
in
one
one
group
or
one
role,
because
I'm
assigning
this
user
and
as
a
guest
that
sign
the
user
out
and
we'll
switch
back
over
to
the
common
endpoint
sign
in
Kyle
again
notice
when
I
was
prompted
a
moment
ago
and
I
was
given
the
opportunity
to
consent
for
everyone
in
my
tenant.
That's
because
Kyle
is
a
guest
user
in
this
tent.
A
It
does
have
admin
privileges
Kyle
at
Microsoft
does
not,
but
I
do
run
into
the
problem
eyes.
I
face
with
groups,
even
though
I'm
asking
for
them
to
be
admitted
as
roles
which
is
Kyle
is
a
member
of
too
many
groups
inside
of
Microsoft.
When
you
work
in
a
big
company
like
Microsoft,
you
tend
to
be
joined
to
lots
and
lots
of
groups
whether
you
know
about
them
or
not,
and
here
I
can
see
that
I'd
have
too
many
groups
to
see
so
I
have
to
do
my
group
overage
claim.
A
So
again,
if
I
sign
in
that's,
that's
sign
in
my
my
my
consumer
user,
one
more
time
as
a
consumer
to
this
application
notice,
I'm
acting
on
my
own
behalf
here
so
I'm
Kyle,
our
demo
at
outlook
I'm
deciding
as
a
consumer
whether
this
application
gets
to
see
my
email
address
or
not
and
I
get
that
token.
So
here
I
can
see
the
token
that
tells
me
that
this
user
is
being
issued
from
this
tenant.
There's
no
ID
provider
here.
A
A
If
I
sign
this
user
out
as
a
as
a
consumer
and
say,
is
this
user
access
this
corporate
tenant
I
can
sign
in
again
using
my
consumer
identity,
but
my
token
for
this,
it's
the
same
user
will
look
somewhat
different.
Sure
I
might
have
the
same
family
name
and
given
name
I'll
have
a
different
name,
because
this
is
the
name
that's
been
assigned
to
me
within
this
tenant.
So
it's
not
Kyle
Marsh
its
Kyle
from
Outlook,
because
that's
the
tenant
set
here
and
I
do
have
an
alternate
identity
provider.
A
So
I
wanted
this
morning
just
to
do
a
quick
sort
of
look
at
a
couple
of
things.
First,
off
the
different
ways
that
you
can
add
additional
information
into
into
your
tokens
and
also
just
what
we
can
do
as
an
absolute
minimum
I'm
seeing
some
enterprises
getting
very
concerned
about
privacy
for
their
users.
So
the
idea
is
what
what's
the
what's,
the
least
that
we
can
provide.
In
a
token.
A
So,
if
I
look
at
say
the
the
default
email
profile
from
open,
ID
connect,
of
course,
I
am
asked
for
roles
as
well,
so
I
would
turn
those
off.
This
gives
us
an
idea
of.
If
you
are
concerned
about
the
privacy
of
your
users,
how
much
information
you
know
how
little
impersonal
information
could
you
provide
to
an
application
developer
if
you're
concerned
about
the
privacy
of
your
users
and
access
to
other
data
and
then
just
taking
a
look
at
some
of
the
things
that
we
can
do
with
respect
to
adding
additional
items
into
your
tokens?
A
I
do
want
to
make
one
quick
reiteration.
I
know
I
covered
this
on
my
last
talk,
but
there
are
some
golden
rules.
You
should
be
following
with
respect
to
tokens.
First
off
that
you
need
to
make
sure
you
only
use
them
for
their
intended
function.
The
spec
writers
have
spent
a
lot
of
time
determining
what
vulnerabilities
there
are
mitigating
there
are,
but
they're
always
doing
it
with
respect
to
the
token
is
being
used
for
its
particular
purpose.
A
A
Token
gives
you
a
particular
API,
your
application,
the
right
to
call
a
particular
API
with
a
particular
range
of
operation.
The
second
rule
is
easier,
never
mess
with
someone
else's
token,
if
you're,
a
client,
ID
or
API
ID
is
not
the
audience.
It's
not
your
token.
You
shouldn't
be
playing
with
it.
The
ways
we
see
these
broken
most
often
is
application
is
trying
to
look
inside
of
access
tokens
access.
Tokens
are
for
api's
they're.
Not
for
you
to
to
manipulate
or
to
make
decisions
on
inside
of
an
application
we
see.
A
Api
is
either
we
see
two
ways
of
misusing
the
ID
token,
either
a
few
guys
accepting
an
ID
token
as
an
access
token,
which
really
just
means
you're
eight
has
no
protection
of
its
own,
because
it's
just
accepting
an
ID
token.
So
you
don't
know
whether
users
should
have
access
to
your
resource
and,
as
enterprises
are
looking
for
ever
more
sophistication
and
the
way
they
protect
their
users
and
their
resources.
A
We're
saying
your
resources
don't
get
to
be
protected
in
the
way
that
enterprises
want
to
protect
things
today,
things
like
conditional
access
policies
can't
be
applied
and
the
same
thing
applies
if
an
API
says
well
as
long
as
I
get
an
a
an
access
token
fro
that
works
for
any
API,
it
should
work
for
me
again:
you're,
not
protecting
your
API
you're,
not
allowing
your
enterprise
to
properly
protect
your
situation
is
either
so
we
get
a
lot
of
requests
of.
Could
I
do
this
with
a
token
or
could
I
do
that
with
a
token?
A
If
it's
not
your
token,
you
should
be
messing
with
it.
So
an
API
should
never
accept
an
access
token
for
another
API,
because
it's
not
their
token
that
audience
has
to
be
for
your
component
you're.
The
audience
claim
has
to
match
up
with
your
client
ID
if
you're
an
app
or
your
client
ID
/
API
ID,
if
you're
an
API
make
sure
you
cache
tokens
appropriately.
Yes,
our
emcell
libraries,
of
course
handle
lists
by
default.
A
We
issued
tokens
are
valid
for
a
particular
amount
of
time
as
as
specified
in
the
token,
and
you
can
see
in
the
token
response
you
don't
have
to
look
in
the
token
to
find
that
information.
If
you
keep
asking
for
tokens
over
and
over
again
sure
we
might
provide
them,
but
we
also
might
look
at
your
application
and
start
saying
it's
something
that
we
need
to
throttle
because
you're
using
using
the
system
inappropriately
and
then.
Finally,
as
you
look
at
tokens,
it's
really
one
common
transaction.
A
You
as
a
developer,
have
to
keep
in
mind
you
asked
for
a
token.
You
either
get
the
token
or
you
don't.
If
you
get
don't
get
the
token
you
have
to
failover
gracefully
whatever.
That
means
there's
a
myriad
of
reasons.
You
may
not
get
that
token
nowadays
and
you
may
not
get
consent,
maybe
there's
a
conditional
access
policy
being
applied
because
of
the
resources
being
accessed.
There's
a
lot
of
sophistication
and
that's
going
into
protecting
these
valuable
resources.
A
So
you
always
have
to
assume
there
may
be
at
any
point
in
time:
you're
not
going
to
get
a
token.
So
you
have
to
make
sure
you
you
failover
gracefully,
but
that's
the
only
transaction
you
have
with
us
can
I
have
a
token
that
we
either
give.
You
were
token
or
not.
Your
control
over
that
request
is
here's.
A
The
scope
here
is
the
reason
I'm
asking
for
this
token
I'd
like
to
identify
the
user,
so
you
use
Open,
ID
Connect
I'd
like
to
access
an
API,
so
here's
the
scope
to
call
that
API,
that's
really
the
transactions
you
have.
If
you
start
checking
for
specific
errors
like
oh
the
the
user
needs
to
to
reoffending
a
tor
consent
as
needed.
You
might
miss
a
broader
class
which
is
these.
A
Are
we
might
group
all
of
those
into
saying
hey
these
all
mean
that
we
need
to
talk
to
the
user,
so
move
from
M
cells
acquired
token
silent
into
M
cells
acquired
token
interactive.
So
that's
the
idea
of
of
making
sure
that
you
you
code
to
the
error
classes
and
therefore
you
won't
have
to
miss
a
specific
error
code.
A
So
there's
a
question
of
how
M
cell
caches
the
token
I'd
actually
have
to
check,
but
it
would
depend
on
the
token
itself.
Obviously,
we
don't
actually
have
email
and
all
tokens,
and
we
also
don't
have
object
Daisy's
anon
token,
so
you
have
to
be
able
to
cache
it
depending
upon
what
the
information
you
get
most
of
that
information
is
going
to
come
out
of
the
token
response
anyway,
depending
in
well.
If
it's
okay,
if
it's
caching
an
access
token,
it
has
to
cash
off
the
information
available
in
the
response.
A
So
the
the
token
response,
as
opposed
to
the
information
available
in
the
token
itself,
so
remember
we're
not
going
to
probably
cracking
access
tokens
as
they
go
by
that
caching
all
happens
based
on
the
Scopes
and
the
user
identifier,
that's
in
the
token
responses,
so
other
questions
I
see
her
she's
on
the
line
he's
our
token
expert
by
the
way
I'm
I'm,
just
someone
who
plays
understanding
tokens
from
time
to
time,
but
her
she's,
our
token
expert
here.
So
thanks
Hertz
for
coming
online
I,
see
you've
answered
a
bunch
of
questions.
B
How
to
ask
verbally
I
put
it
in
the
chat
you
mentioned.
Subject
is
generally
abstracted
to
be
application
specific
rather
than
spanning
applications
and
differentiated
from
object.
Id
in
that
regard
is
that
something
that
came
out
of
the
spec
or
is
that
a
decision
that
ad
has
made
I've
noticed
b2c
the
built
in
flows
and
the
default
behavior
for
custom
flows
is
object.
Ideas
returned
as
the
spoke
as
the
subject
so
I'm
trying
to
figure.
Are
they
taking
a
different
decision
with
regards
to
that
or
are
they
violating
the
spec
I'd.
A
Have
to
check
to
whether
the
spec
is
requiring
subject
to
be
application
of
specific
B
to
C
is.
It
is
a
different
beast,
of
course,
because
it's
a
it's
identity
provider
for
the
solution
itself,
so
BD
c
has
a
very
few
of
the
world.
So,
for
example,
BD
c
doesn't
have
permission
and
consent
problems,
because
the
resource
owner
is
the
application
itself.
A
So
all
of
this
is
about
me
right,
so
it
has
a
different
point
of
view
on
things
like
permission,
consent
and
certainly
things
like
subject
and
object.
Id
sense:
the
solution
is
the
identity
provider.
So
is
it
got
a
closer
connection
there
so
I,
whether
that's
a
violation
of
spec
I'd,
have
to
check,
but
you
can
see
it
comes
from
a
very
different
point
of
view
with
respect
to
who
the
source
of
the
identity
provider
is.
Does
that
make
sense
that
I
explain
that
at
all.
A
There
was
a
question
of
above:
what's
the
difference
between
the
subject
and
the
OID
in
the
case
of
our
Azure
Active
Directory
and
Microsoft
consumers
accounts
the
object.
Id
is
an
a
fixed
identifier
for
this
identity
anyway.
So
the
object
ID
is
this
fixed
identity
that
will
against
any
application
any
time
you
reference
this
identity
that
objectid
would
be
the
same,
regardless
of
any
other
changes
that
happened
to
that
object.
A
subject
is
similar,
but
it's
generated
on
a
per
application
basis,
so
for
every
client
ID.
A
That
user
will
have
a
specific
subject
and
it
will
be
the
same
topic,
no
matter
other
changes
to
the
to
the
record.
But
if
I
go
to
a
different
application,
that
same
user
would
get
a
different
subject.
So
it
allows
me
to
share
to
identify
our
user
uniquely
to
an
application,
but
not
allow
two
applications
to
figure
out.
It's
the
same
user
I.
B
Can
thanks
thanks
for
the
expression
this
is
Brianne.
Hey,
so
I
have
a
question
on
this
subject.
So,
as
per
the
documentation,
we
can
use
the
subject
to
identify
the
user
in
an
application.
That's
that's
what
the
Microsoft
document
says,
but
how
an
application
will
get
this
subject:
information
in
the
claim.
A
So
if
I
look
at
the
any
of
these
claims,
here,
there's
always
a
subject.
So
here's
the
subject
for
whoever
this
is
this
is
Kyle
Mar.
This
is
my
consumer
account
as
a
guest
in
this
particular
tenant.
So
here's
this
identical
so
that,
in
this
case,
I'm
identifying
Kyle
as
a
guest
in
this
tenant
who
happens
to
be
using
his
consumer
account,
but
that
doesn't
matter
Kyle,
I
guess
as
a
guest
in
this
tenant.
A
Can't
know
the
subject
until
the
subject
until
the
user
authenticates,
we
don't
know
who
the
user
is,
and
once
we
know
the
user
is
we'll
tell
you
right
away
in
the
subject
claim
of
the
ID
token.
But
there's
no
way
if
you
know
ahead
of
time,
because
no
one's
identified
the
user
yet
who
this
subject
might
be,
and
it's
not
something
the
user
would
ever
see
or
understand
it's
there
for
you
to
use
a
key.
A
For
you
know
a
database
lookup
or,
however,
you
want
to
identify
this
user.
If
you
told
your
application
developers
to
you
subject
your
what
you're
saying
is
I,
don't
want
you
coordinating
different
actions
across
applications,
the
subject
ID
it
will
is
enough
for
you
to
identify
this
user
to
this
out
to
the
application.
If
you
say
you
go
ahead
and
use
object,
ID,
you're,
saying
multiple
applications
could
understand
it's
the
same
user
because
they
would
get
the
same
object
ID
for
the
same
user.
Thanks.
A
That
you
need
to
know
when
that
user
comes
back.
Assuming
that
you
have
information
to
store
on
a
per
user
basis,
then
yes,
this
is
the
key.
So
supposing
this
there's
something
very
simple,
you
have
a
table
where
you
want.
You
know
this
user
set
this
attribute.
The
key
to
that
table
is.
He
is
either
subject
or
object,
ID,
and
if
you
want
to
go
a
subject,
that's
great.
So,
yes,
the
subject
becomes
the
key
you're
going
to
use
to
look
up
whatever
this
user
did
the
last
time
he
was
here.
Okay,.
A
If
you
have
to
store
things
on
a
per
user
basis,
it's
absolutely
a
preferable
that
you
use
either
subject
or
object.
Id
tenant
ID
because
object
ID
if
you're
a
single
tenant
app.
If
because
that
is
those
are
unique
identifiers-
is
that
when
that
same
user
comes
back
regardless
of
changing
their
name
or
email
or
anything
else,
when
you
have
to
say
what
did
that
user
do
last
time
they
were
here,
I
key
off
of
subject
or
I
key
off
of
object,
ID
and
I
get
that
answer
thanks.
B
A
I
know
that
we're
looking
at
what
our
alternatives
are
to
do
that
there
are
some.
There
were
some
some
issues
with
the
AMR,
so
we
want
to
make
sure
we
can
do
a
better
job
of
consistency
and
so
on
so
I
know
that
it's
it
has
been
brought
up
as
a
question
because
lots
of
you
we're
looking
for
AMR.
They
saw
it
in
v1
and
they
are
asking
you
know
what
do
I
do
to
replicate
the
functionality
or
replicate
the
information.
A
B
A
So
the
question
about
sharing
the
link
I'll
share,
a
link
to
the
app
I
was
using
I
can
also
post
those
little
links.
If
you
want,
you
want
to
do
the
the
the
things
I
was
doing
in
the
browser.
That's
fine
as
well
I'll
post
about
all
of
those
to
the
end
of
the
conversation.
You
know
it's
a
good
question:
I,
don't
know!
A
If
we're
going
to
do
extension,
attributes
v,
the
UI
you
can
do
them
in
the
you
can
do
them
in
the
manifest
I'll
have
to
find
out
if
we're
gonna
be
adding
that
to
the
UI
as
well.
I
think
we're
probably
looking
for
more
common
ones
there,
but
I'll
have
to
check
so
a
different
format.
Today,
not
a
lot
of
slides,
just
a
lot
of
playing
around
with
tokens.
I
hope
it
was
interesting.