How do I get the logged in users profile for Azure AD OAuth logins?

前端 未结 2 1720
一生所求
一生所求 2021-01-22 02:18

Following on from JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, I\'m trying to figure out the best endpoint to use, to get the logged in users deta

相关标签:
2条回答
  • 2021-01-22 02:34

    You should absolutely use Microsoft Graph for this and the /v1.0/me endpoint is the correct URI for retrieving the user's profile information.

    As for finding their email address, there are a few potential properties you could pull:

    • mail: This is the default SMTP address for the user. If it is showing up as null, this suggests the value wasn't populated. Normally this is populated automatically by Exchange but depending on the tenant it may need to be manually populated.

    • proxyAddresses: This is an array of addresses associated with the user. Typically you only use this property when you need to surface a user's alternative email aliases (i.e. name@comp.com & firstname.lastname@comp.com).

    If you are only looking for very basic information (name and email) you be able to use OpenID Connect and skip the Microsoft Graph call entirely. OpenID Connect supports returning the user's profile as part of the profile.

    To use OpenID Connect you need to make a couple of changes to your Authorization request (i.e. the initial call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

    1. The response_type must include id_token. (eg. &response_type=id_token+code)
    2. The scope must include openid, profile, and email (eg. &scope=openid profile email user.read).

    When enabled, you will receive an additional property in your Access Token response named id_token. This property holds a JSON Web Token (JWT) that you can decode an obtain the user's profile information:

    As an illustration, I used the settings above to request a token from my test Azure AD instance. I took that token and decoded it (I used http://jwt.ms/ but JWT decoder would work) to get the OpenID Connect profile:

    {
      "typ": "JWT",
      "alg": "RS256",
      "kid": "{masked}"
    }.{
      "aud": "{masked}",
      "iss": "https://login.microsoftonline.com/{masked}/v2.0",
      "iat": 1521825998,
      "nbf": 1521825998,
      "exp": 1521829898,
      "name": "Marc LaFleur",
      "nonce": "a3f6250a-713f-4098-98c4-8586b0ec084d",
      "oid": "f3cf77fe-17b6-4bb6-8055-6aa084df7d66",
      "preferred_username": "marc@officedev.ninja",
      "sub": "{masked}",
      "tid": "{masked}",
      "uti": "{masked}",
      "ver": "2.0"
    }.[Signature]
    
    0 讨论(0)
  • 2021-01-22 02:41

    The ID Token and Access Token can return attributes like display name, email, etc.

    Sample ID Token.

    See "Select Application claims" here: Azure Active Directory B2C: Built-in policies

    Select Application claims. Choose claims you want returned in the authorization tokens sent back to your application after a successful sign-up or sign-in experience. For example, select Display Name, Identity Provider, Postal Code, User is new and User's Object ID.

    0 讨论(0)
提交回复
热议问题