Search

MC798676 – Change coming to the format of IP addresses containing IPV4 embedded in IPV6 addresses within token claims

cloudscout.one Icon

check before: 2024-06-19

Product:

Microsoft 365 Apps, Microsoft 365 suite

Platform:

Web, World tenant

Status:

Change type:

User impact, Admin impact

Links:

Details:

Summary:
The format of IP addresses embedded in IPV6 within token claims is changing, impacting the 'ipaddr' claim in JWTs. Organizations using custom applications that depend on the string format of this claim need to update their code. The change takes effect on July 8th, 2024. No action is required if there's no dependency on the string format.

Details:
Note: If your organization does not use custom applications or your custom applications do not take a dependency on the string format of the ‘ipaddr’ claim from the access token or id token, there should not be any impact and no action is required.”
Action may be required: The format of IP addresses containing IPV4 embedded in IPV6 addresses within token claims is changing.
The Microsoft identity platform implements security tokens as JSON Web Tokens (JWTs) that contain claims. Claims are name or value pairs that relay facts about the token subject. Applications can use claims for the following various tasks: Validate the token, Identify the token subject's tenant, display user information, identify client’s IP Address etc.
One of the claims in the token is ‘ipaddr’ which is a string and refers to the IP address the user authenticates from.
The format of certain IPV6 addresses containing IPV4 address is altered to display as all IPV6 addresses. The impacted ipv6 addresses are those of a format xxxx:xxxx:xxxx:xxxx:200:5efe:xxxx:xxxx, i.e., where 7, 6, 5, and 4 octets have values '0x02, '0x00', '0x5e', '0xfe' correspondingly.
Currently these IP addresses are serialized with embedded ipv4 address like this: xxxx:xxxx:xxxx:xxxx:200:5efe:YYY.YYY.YYY.YYY, where 'YYY' is number from 0 to 255.
Once the changes go into effect, these IP Addresses will be serialized as xxxx:xxxx:xxxx:xxxx:200:5efe:xxxx:xxxx where x is a hex digit (0-9, a-f)
For example:
Current format: "2001:558:1416:0:200:5efe:169.152.178.93"
Format after the change: "2001:558:1416:0:200:5efe:a998:b25d"
Please note that despite the string format looking different, both IP addresses remain the same. The change would impact both access tokens and id tokens; and the affected claims is ‘ipaddr’ claim.
ClaimFormatDescription
ipaddrStringThe IP address the user authenticated from.

The ‘ipaddr’ claim is included in the V1.0 token if applicable and included in the V2.0 token if the application requests them using optional claims. Please look at Access token claims reference - Header claims for more details.
[When this will happen:]
The change will go into effect on July 8th, 2024.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2024-06-05

updated:
2024-06-05

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


Last updated 1 month ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!