Fix email resolution from Azure AD token claims

Azure AD v1 access tokens (sts.windows.net issuer) use the 'upn' claim for the user principal name/email, not 'email' or 'preferred_username'. Add 'upn' as a fallback so email is correctly resolved on login. Also add debug logging to show which claims are present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 15:55:00 +00:00 · 2026-03-03 15:55:00 +00:00 · dfb758fa61
commit dfb758fa61
parent fa00a86777
1 changed files with 9 additions and 1 deletions
--- a/backend/app/dependencies/auth.py
+++ b/backend/app/dependencies/auth.py
@ -101,9 +101,17 @@ async def get_current_db_user(
            detail="Missing user identifier in token claims",
        )

+    # Azure AD v1 access tokens use 'upn'; v2/ID tokens use 'email' or 'preferred_username'
+    email = (
+        user_claims.get("email")
+        or user_claims.get("preferred_username")
+        or user_claims.get("upn")
+        or ""
+    )
+    logger.debug(f"[Auth] Resolved email='{email}' from claims keys: {list(user_claims.keys())}")
    user = await user_repo.get_or_create_from_azure(
        azure_ad_oid=azure_oid,
-        email=user_claims.get("email", user_claims.get("preferred_username", "")),
+        email=email,
        name=user_claims.get("name", "Unknown"),
    )