Add 'show_claims' argument to 'get_access_token' command

Author: gamontal

src/azure-cli/azure/cli/command_modules/profile/__init__.py

@@ -77,6 +77,6 @@ def load_arguments(self, command):
             c.argument('resource', options_list=['--resource'], help='Azure resource endpoints in AAD v1.0.')
             c.argument('scopes', options_list=['--scope'], nargs='*', help='Space-separated AAD scopes in AAD v2.0. Default to Azure Resource Manager.')
             c.argument('tenant', options_list=['--tenant', '-t'], help='Tenant ID for which the token is acquired. Only available for user and service principal account, not for MSI or Cloud Shell account')
-
+            c.argument('show_claims', help='Show the decoded claims of the token.')
 
 COMMAND_LOADER_CLS = ProfileCommandsLoader

src/azure-cli/azure/cli/command_modules/profile/_help.py

@@ -88,6 +88,9 @@
     - name: Get an access token to use with MS Graph API
       text: >
         az account get-access-token --resource-type ms-graph
+    - name: Show the decoded claims of the token
+      text: >
+        az account get-access-token --show-claims
 """
 
 helps['self-test'] = """

src/azure-cli/azure/cli/command_modules/profile/custom.py

@@ -53,7 +53,7 @@ def show_subscription(cmd, subscription=None):
     return profile.get_subscription(subscription)
 
 
-def get_access_token(cmd, subscription=None, resource=None, scopes=None, resource_type=None, tenant=None):
+def get_access_token(cmd, subscription=None, resource=None, scopes=None, resource_type=None, tenant=None, show_claims=False):
     """
     get AAD token to access to a specified resource.
     Use 'az cloud show' command for other Azure resources
@@ -73,9 +73,15 @@ def get_access_token(cmd, subscription=None, resource=None, scopes=None, resourc
         'expiresOn': creds[2]['expiresOn'],
         'tenant': tenant
     }
+
     if subscription:
         result['subscription'] = subscription
 
+    if show_claims:
+        import jwt
+        decoded = jwt.decode(creds[1], algorithms=['RS256'], options={'verify_signature': False})
+        result['claims'] = decoded
+
     return result
 
 

src/azure-cli/azure/cli/command_modules/profile/tests/latest/test_profile_custom.py

@@ -87,6 +87,22 @@ def test_get_raw_token(self, get_raw_token_mock):
         self.assertEqual(result, expected_result)
         get_raw_token_mock.assert_called_with(mock.ANY, None, None, None, tenant_id)
 
+        # test get token with decoded claims
+        test_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwibmFtZSI6IlRlc3QgVG9rZW4ifQ.redacted"
+        get_raw_token_mock.return_value = (('bearer', test_token, token_entry), None, 'tenant123')
+        result = get_access_token(cmd, show_claims=True)
+        expected_result = {
+            'tokenType': 'bearer',
+            'accessToken': test_token,
+            'expires_on': timestamp,
+            'expiresOn': datetime_local,
+            'tenant': 'tenant123',
+            'claims': {'aud': 'https://graph.microsoft.com/', 'name': 'Test Token'}
+        }
+
+        self.assertEqual(result, expected_result)
+        get_raw_token_mock.assert_called_with(mock.ANY, None, None, None, None)
+
     @mock.patch('azure.cli.command_modules.profile.custom.Profile', autospec=True)
     def test_get_login(self, profile_mock):
         invoked = []