npm - @villedemontreal/jwt-validator - Versions diffs - 5.10.1 → 5.10.3 - Mend

@villedemontreal/jwt-validator 5.10.1 → 5.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/src/models/identities.d.ts +33 -11
package/dist/src/utils/createIdentityFromJwt.js +47 -34
package/dist/src/utils/createIdentityFromJwt.js.map +1 -1
package/dist/src/utils/createIdentityFromJwt.test.js +138 -1
package/dist/src/utils/createIdentityFromJwt.test.js.map +1 -1
package/package.json +3 -3
package/src/models/identities.ts +34 -12
package/src/utils/createIdentityFromJwt.test.ts +152 -1
package/src/utils/createIdentityFromJwt.ts +55 -42

package/src/models/identities.ts CHANGED Viewed

@@ -167,6 +167,9 @@ export type CitizenAttributes = CommonUserAttributes & {
 /**
  * The attributes of an employee: a user on the payroll of the city of Montreal.
  *
+ * Note that a generic user that has all the required attributes of an employee would be detected as such,
+ * for testing purposes.
+ *
  * The ID is mapped to the username.
  */
 export type EmployeeAttributes = CommonUserAttributes & {
@@ -210,13 +213,20 @@ export type EmployeeAttributes = CommonUserAttributes & {
    * The account profile that was selected upon logon.
    */
   accountProfile: AccountProfile;
+  /**
+   * Specifies if the account presented as an external user is a generic account, used for testing purposes.
+   */
+  isGeneric: boolean;
 };
 /**
- * The attributes of an external user: a user that is not on the payroll of the city of Montreal but actively collaborates
+ * The attributes of an external user: a user that is not on the payroll of the city of Montreal but actively collaborates
  * with the city and has his own internal email and short code (starting with the letter x).
-* The ID is mapped to the username.
+ *
+ * Note that a generic user that has all the required attributes of an external user would be detected as such,
+ * for testing purposes.
+ *
+ * The ID is mapped to the username.
  */
 export type ExternalUserAttributes = CommonUserAttributes & {
   type: 'external';
@@ -251,12 +261,20 @@ export type ExternalUserAttributes = CommonUserAttributes & {
    * The account profile that was selected upon logon.
    */
   accountProfile: AccountProfile;
+  /**
+   * Specifies if the account presented as an external user is a generic account, used for testing purposes.
+   */
+  isGeneric: boolean;
 };
 /**
  * The attributes of a generic user: a fake user used for testing only, that has the right profile or role to perform specific tasks.
-* The ID is mapped to the username.
+ *
+ * Note that if a generic user has all the required attributes of an employee or an external user, then it will be detected
+ * as such an employee or external user, for testing purposes, and not as a generic user.
+ * However, citizens and guest users cannot be generic.
+ *
+ * The ID is mapped to the username.
  */
 export type GenericUserAttributes = CommonUserAttributes & {
   type: 'generic';
@@ -411,16 +429,20 @@ export type ServiceAccountAttributes =
  */
 export type IdentitySource = {
   /**
-   * The audience of the JWT, which is usually the clientID our appId.
+   * The audience of the JWT, which is usually the clientID of our appId.
    */
   aud: string;
   /**
-   * Which service issued the JWT that we parsed into an identity.
+   * The display name of the audience of the JWT, which is usually the name of our app.
+   */
+  audDisplayName?: string;
+  /**
+   * Specifies which service issued the JWT that we parsed into an identity.
    * Usually, this would be 'security-identity-token-api'.
    */
   issuer: string;
   /**
-   * Which IDP produced the access token that was submitted to TokenAPI.
+   * Specifies which IDP produced the access token that was submitted to TokenAPI.
    * For EntraID, this would be https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0,
    * for Azure AD B2C https://connexion.montreal.ca,
    * for Gluu employee https://idp.montreal.ca,
@@ -429,22 +451,22 @@ export type IdentitySource = {
    */
   accessTokenIssuer?: string;
   /**
-   * Which claim was used for the unique ID of the identity.
+   * Specifies which claim was used for the unique ID of the identity.
    * This could be: userName, email, mtlIdentityId, aud, sub
    */
   claim: string;
   /**
-   * The internal ID that would provide access to the user object in the IDP itself.
+   * Specifies the internal ID that would provide access to the user object in the IDP itself.
    * For Azure, this would be the 'oid' (or objectID) and for Gluu this would be the inum (or sub).
    */
   internalId: string;
   /**
-   * The realm that produced the access token.
+   * Specifies the realm that produced the access token.
    * This could be: employees, citizens, anonymous
    */
   realm: string;
   /**
-   * The name of the environment that produced the JWT.
+   * Specifies the name of the environment that produced the JWT.
    * This could be:  lab, dev, accept, prod
    */
   env?: string;

package/src/utils/createIdentityFromJwt.test.ts CHANGED Viewed

@@ -66,12 +66,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'vdm',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -80,7 +82,7 @@ describe('createIdentityFromJwt', () => {
     });
     // console.log(JSON.stringify(identity));
     expect(JSON.stringify(identity)).to.eql(
-      `{"type":"user","id":"udoejo3","displayName":"John DOE","attributes":{"type":"employee","email":"john.doe@montreal.ca","username":"udoejo3","registrationNumber":"100674051","department":"421408000000","firstName":"John","lastName":"DOE","accountProfile":"vdm"},"source":{"aud":"e5dd632b-cb97-48d7-a310-5147be717cde","issuer":"security-identity-token-api","accessTokenIssuer":"https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0","env":"dev","realm":"employees","claim":"userName","internalId":"0b64042a-9cce-42dc-b645-cd721cbbc179"}}`
+      `{"type":"user","id":"udoejo3","displayName":"John DOE","attributes":{"type":"employee","email":"john.doe@montreal.ca","username":"udoejo3","registrationNumber":"100674051","department":"421408000000","firstName":"John","lastName":"DOE","accountProfile":"vdm","isGeneric":false},"source":{"aud":"e5dd632b-cb97-48d7-a310-5147be717cde","audDisplayName":"infra-auth-auth-playground-dev","issuer":"security-identity-token-api","accessTokenIssuer":"https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0","env":"dev","realm":"employees","claim":"userName","internalId":"0b64042a-9cce-42dc-b645-cd721cbbc179"}}`
     );
   });
@@ -128,12 +130,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'spvm',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -187,12 +191,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'vdm-admin',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -245,12 +251,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'vdm-admin',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -301,12 +309,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'vdm',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -356,12 +366,14 @@ describe('createIdentityFromJwt', () => {
         firstName: 'John',
         lastName: 'DOE',
         accountProfile: 'vdm',
+        isGeneric: false,
       },
       source: {
         issuer: 'security-identity-token-api',
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -417,6 +429,127 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
+        env: 'dev',
+        realm: 'employees',
+        claim: 'userName',
+        internalId: '74096b4e-c090-4a97-af04-bbe25dc4f7d6',
+      },
+    });
+  });
+  it('should recognize a generic user as an employee', () => {
+    const jwt: any = {
+      iss: 'security-identity-token-api',
+      exp: 1722376780,
+      iat: 1722371805,
+      keyId: 6,
+      displayName: 'infra-auth-auth-playground-dev',
+      aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+      name: 'C.Generique dsec developpeur2',
+      sub: 'mlKfaYaESpCXWGoHE3ej-kCaUBwfsQzqayvRvXXQHJo',
+      userName: 'umarba33',
+      givenName: 'C.Generique',
+      familyName: 'dsec developpeur2',
+      email: 'dsec.dev2.test@montreal.ca',
+      userType: 'employee',
+      department: '4211',
+      employeeNumber: '000333',
+      oid: '74096b4e-c090-4a97-af04-bbe25dc4f7d6',
+      isGenericAccount: true,
+      realm: 'employees',
+      env: 'dev',
+      accessTokenIssuer:
+        'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
+    };
+    const identity = createIdentityFromJwt(jwt);
+    // console.log(identity);
+    expect(identity.toString()).to.equal(
+      'user:employee:umarba33:C.Generique dsec developpeur2:dsec.dev2.test@montreal.ca:000333:4211:vdm'
+    );
+    delete identity.toString;
+    expect(identity).to.eql({
+      type: 'user',
+      id: 'umarba33',
+      displayName: 'C.Generique dsec developpeur2',
+      attributes: {
+        type: 'employee',
+        username: 'umarba33',
+        email: 'dsec.dev2.test@montreal.ca',
+        registrationNumber: '000333',
+        department: '4211',
+        firstName: 'C.Generique',
+        lastName: 'dsec developpeur2',
+        accountProfile: 'vdm',
+        isGeneric: true,
+      },
+      source: {
+        issuer: 'security-identity-token-api',
+        accessTokenIssuer:
+          'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
+        aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
+        env: 'dev',
+        realm: 'employees',
+        claim: 'userName',
+        internalId: '74096b4e-c090-4a97-af04-bbe25dc4f7d6',
+      },
+    });
+  });
+  it('should recognize a generic user as an external user', () => {
+    const jwt: any = {
+      iss: 'security-identity-token-api',
+      exp: 1722376780,
+      iat: 1722371805,
+      keyId: 6,
+      displayName: 'infra-auth-auth-playground-dev',
+      aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+      name: 'C.Generique dsec developpeur2',
+      sub: 'mlKfaYaESpCXWGoHE3ej-kCaUBwfsQzqayvRvXXQHJo',
+      userName: 'xmarba33',
+      givenName: 'C.Generique',
+      familyName: 'dsec developpeur2',
+      email: 'dsec.dev2.test@montreal.ca',
+      userType: 'employee',
+      department: '4211',
+      oid: '74096b4e-c090-4a97-af04-bbe25dc4f7d6',
+      isGenericAccount: true,
+      realm: 'employees',
+      env: 'dev',
+      accessTokenIssuer:
+        'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
+    };
+    const identity = createIdentityFromJwt(jwt);
+    // console.log(identity);
+    expect(identity.toString()).to.equal(
+      'user:external:xmarba33:C.Generique dsec developpeur2:dsec.dev2.test@montreal.ca:4211:vdm'
+    );
+    delete identity.toString;
+    expect(identity).to.eql({
+      type: 'user',
+      id: 'xmarba33',
+      displayName: 'C.Generique dsec developpeur2',
+      attributes: {
+        type: 'external',
+        username: 'xmarba33',
+        email: 'dsec.dev2.test@montreal.ca',
+        department: '4211',
+        firstName: 'C.Generique',
+        lastName: 'dsec developpeur2',
+        accountProfile: 'vdm',
+        isGeneric: true,
+      },
+      source: {
+        issuer: 'security-identity-token-api',
+        accessTokenIssuer:
+          'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
+        aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -470,6 +603,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -515,6 +649,7 @@ describe('createIdentityFromJwt', () => {
         issuer: 'security-identity-token-api',
         accessTokenIssuer: 'security-identity-anonymous-token-api',
         aud: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0008!2212.0010',
+        audDisplayName: 'Account Identity Managment',
         env: 'dev',
         realm: 'anonymous',
         claim: 'userName',
@@ -559,6 +694,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'e5dd632b-cb97-48d7-a310-cde5147be717',
+        audDisplayName: 'infra-auth-auth-playground-dev',
         env: 'dev',
         realm: 'employees',
         claim: 'aud',
@@ -606,6 +742,7 @@ describe('createIdentityFromJwt', () => {
         issuer: 'security-identity-token-api',
         accessTokenIssuer: 'https://auth.dev.interne.montreal.ca',
         aud: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0008!2212.0130',
+        audDisplayName: 'DiagnosticsCanary',
         env: 'dev',
         realm: 'citizens',
         claim: 'userName',
@@ -660,6 +797,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://connexion.dev.montreal.ca/1543b575-116b-4325-a0bf-3ccdd7925321/v2.0/',
         aud: 'a496befa-db7d-45a6-ac7a-11471816b8f1',
+        audDisplayName: 'infra-auth-auth-playground',
         env: 'dev',
         realm: 'citizens',
         claim: 'mtlIdentityId',
@@ -715,6 +853,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'a496befa-db7d-45a6-ac7a-11471816b8f1',
+        audDisplayName: 'infra-auth-auth-playground',
         env: 'dev',
         realm: 'employees',
         claim: 'userName',
@@ -757,6 +896,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'a496befa-db7d-45a6-ac7a-11471816b8f1',
+        audDisplayName: 'infra-auth-auth-playground',
         env: 'dev',
         realm: 'employees',
         claim: 'sub',
@@ -799,6 +939,7 @@ describe('createIdentityFromJwt', () => {
         accessTokenIssuer:
           'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
         aud: 'a496befa-db7d-45a6-ac7a-11471816b8f1',
+        audDisplayName: 'infra-auth-auth-playground',
         env: 'dev',
         realm: 'employees',
         claim: 'sub',
@@ -858,6 +999,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -917,6 +1059,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -976,6 +1119,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1034,6 +1178,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'email',
@@ -1092,6 +1237,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1150,6 +1296,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1208,6 +1355,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1266,6 +1414,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1325,6 +1474,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',
@@ -1381,6 +1531,7 @@ describe('createIdentityFromJwt', () => {
           accessTokenIssuer:
             'https://login.microsoftonline.com/9f15d2dc-8753-4f83-aac2-a58288d3a4bc/v2.0',
           aud: 'e5dd632b-cb97-48d7-a310-5147be717cde',
+          audDisplayName: 'infra-auth-auth-playground-dev',
           env: 'dev',
           realm: 'employees',
           claim: 'userName',

package/src/utils/createIdentityFromJwt.ts CHANGED Viewed

@@ -60,11 +60,12 @@ export function createIdentityFromJwt(jwt: any): Identity {
   const realm = getStringClaim(jwt, 'realm');
   const aud = getStringClaim(jwt, 'aud');
   const sub = getStringClaim(jwt, 'sub');
+  const audDisplayName = getOptionalStringClaim(jwt, 'displayName');
   const oid = getOptionalStringClaim(jwt, 'oid');
   const env = getOptionalStringClaim(jwt, 'env');
   const userType = getOptionalStringClaim(jwt, 'userType') ?? 'citizen';
   const accessTokenIssuer = getOptionalStringClaim(jwt, 'accessTokenIssuer');
-  const isGenericUser = jwt.isGenericAccount;
+  const isGenericUser = jwt.isGenericAccount === true;
   //----------< Anonymous user >-----------------------------------------
   if (userType === 'anonymous') {
@@ -83,6 +84,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -109,6 +111,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -137,6 +140,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -170,6 +174,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -189,47 +194,6 @@ export function createIdentityFromJwt(jwt: any): Identity {
     };
     return result;
   }
-  //----------< Generic user >-----------------------------------------
-  if (isGenericUser === true) {
-    const type = 'user';
-    const subType = 'generic-user';
-    const username = getStringClaim(jwt, usernameClaimName, type, subType);
-    const result: GenericUserIdentity = {
-      type,
-      id: username,
-      displayName: getStringClaim(jwt, 'name', type, subType),
-      attributes: {
-        type: 'generic',
-        username,
-        email: getOptionalStringClaim(jwt, 'email'),
-        department: getOptionalStringClaim(jwt, 'department'),
-        firstName: getStringClaim(jwt, 'givenName', type, subType),
-        lastName: getStringClaim(jwt, 'familyName', type, subType),
-        accountProfile: getAccountProfile(jwt),
-      },
-      source: {
-        aud,
-        issuer,
-        accessTokenIssuer,
-        env,
-        realm,
-        claim: usernameClaimName,
-        internalId: oid ?? sub,
-      },
-      toString(this: GenericUserIdentity) {
-        return encodeComponents(
-          this.type,
-          this.attributes.type,
-          this.id,
-          this.displayName,
-          this.attributes.email,
-          this.attributes.department,
-          this.attributes.accountProfile
-        );
-      },
-    };
-    return result;
-  }
   //----------< Employee >-----------------------------------------
   if (userType === 'employee' && isEmployee(jwt)) {
     const type = 'user';
@@ -251,9 +215,11 @@ export function createIdentityFromJwt(jwt: any): Identity {
         firstName: getStringClaim(jwt, 'givenName', type, subType),
         lastName: getStringClaim(jwt, 'familyName', type, subType),
         accountProfile: getAccountProfile(jwt),
+        isGeneric: isGenericUser,
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -296,9 +262,11 @@ export function createIdentityFromJwt(jwt: any): Identity {
         firstName: getStringClaim(jwt, 'givenName', type, subType),
         lastName: getStringClaim(jwt, 'familyName', type, subType),
         accountProfile: getAccountProfile(jwt),
+        isGeneric: isGenericUser,
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -340,6 +308,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -360,6 +329,48 @@ export function createIdentityFromJwt(jwt: any): Identity {
     };
     return result;
   }
+  //----------< Generic user >-----------------------------------------
+  if (isGenericUser) {
+    const type = 'user';
+    const subType = 'generic-user';
+    const username = getStringClaim(jwt, usernameClaimName, type, subType);
+    const result: GenericUserIdentity = {
+      type,
+      id: username,
+      displayName: getStringClaim(jwt, 'name', type, subType),
+      attributes: {
+        type: 'generic',
+        username,
+        email: getOptionalStringClaim(jwt, 'email'),
+        department: getOptionalStringClaim(jwt, 'department'),
+        firstName: getStringClaim(jwt, 'givenName', type, subType),
+        lastName: getStringClaim(jwt, 'familyName', type, subType),
+        accountProfile: getAccountProfile(jwt),
+      },
+      source: {
+        aud,
+        audDisplayName,
+        issuer,
+        accessTokenIssuer,
+        env,
+        realm,
+        claim: usernameClaimName,
+        internalId: oid ?? sub,
+      },
+      toString(this: GenericUserIdentity) {
+        return encodeComponents(
+          this.type,
+          this.attributes.type,
+          this.id,
+          this.displayName,
+          this.attributes.email,
+          this.attributes.department,
+          this.attributes.accountProfile
+        );
+      },
+    };
+    return result;
+  }
   //----------< Unknown user type >-----------------------------------------
   const username = getOptionalStringClaim(jwt, usernameClaimName);
   const email = getOptionalStringClaim(jwt, 'email');
@@ -383,6 +394,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
       },
       source: {
         aud,
+        audDisplayName,
         issuer,
         accessTokenIssuer,
         env,
@@ -415,6 +427,7 @@ export function createIdentityFromJwt(jwt: any): Identity {
     },
     source: {
       aud,
+      audDisplayName,
       issuer,
       accessTokenIssuer,
       env,