From dfb758fa61bf4e9bd6c22f76579f336212b4cd50 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Tue, 3 Mar 2026 15:55:00 +0000
Subject: [PATCH] Fix email resolution from Azure AD token claims

Azure AD v1 access tokens (sts.windows.net issuer) use the 'upn' claim
for the user principal name/email, not 'email' or 'preferred_username'.
Add 'upn' as a fallback so email is correctly resolved on login.

Also add debug logging to show which claims are present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/dependencies/auth.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/app/dependencies/auth.py b/backend/app/dependencies/auth.py
index 063c18b..08c4f60 100755
--- a/backend/app/dependencies/auth.py
+++ b/backend/app/dependencies/auth.py
@@ -101,9 +101,17 @@ async def get_current_db_user(
             detail="Missing user identifier in token claims",
         )
 
+    # Azure AD v1 access tokens use 'upn'; v2/ID tokens use 'email' or 'preferred_username'
+    email = (
+        user_claims.get("email")
+        or user_claims.get("preferred_username")
+        or user_claims.get("upn")
+        or ""
+    )
+    logger.debug(f"[Auth] Resolved email='{email}' from claims keys: {list(user_claims.keys())}")
     user = await user_repo.get_or_create_from_azure(
         azure_ad_oid=azure_oid,
-        email=user_claims.get("email", user_claims.get("preferred_username", "")),
+        email=email,
         name=user_claims.get("name", "Unknown"),
     )