How to get email from Microsoft graph api oidc/userinfo endpoint - azure

I have setup oauth via azure, i have received an authorization_code which i have exchanged for an access_token. I am then attempting to use that access token to get userinfo data including the email as described in the docs (https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo). However in the response it does not return to me the email.
{
"sub": "<redacted>",
"name": "John Doe",
"family_name": "John",
"given_name": "Doe",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}
The documentation suggests that in order for email to be returned in the response it requires the email scope. https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo#userinfo-response
However i believe i am already specifying that i want the email scope.
App Permissions
/oauth2/v2.0/token (the scope shows profile, openid, email and user.Read)
What am i missing?>

I tried to reproduce the same in my environment and got the below results:
I created one Azure AD application and added API permissions as below:
Now I generated the access token with same scope as you like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:app_id
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
client_secret:secret
code:code
redirect_uri:redirect_uri
Response:
I used the above token to get user info data and got response without email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
This is because the email field in user's profile is not set. So, I updated email field by editing user's properties.
Now I generated access token again and used it to get user info data and got response with email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:

Related

I can't get email or profile scopes for an Azure B2C application, nor can I call the OIDC UserInfo endpoint

I'm finding Azure B2C really confusing. Currently I am using oauth2_proxy behind an nginx ingress controller in a test (single node) AKS kubernetes environment. I have made a slight change to oauth2_proxy to redirect upon error to chain Workflows together (like password recovery link etc.) and everything is working so far. I get an authorisation cookie from oath2_proxy and the ingress controller lets me through.
My next step is to work out what the username is, and maybe gather some more informaton. I think I can get some of the information in the id_token, but I am failing to see "email" and "preferred_username". Apparently these are only available if my token has the "email" and "profile" scopes, but I cannot work out how to get those scopes on my B2C App.
Currently I have a test application. In it's API permissions area I have a single "read" permission so that I have a resource to request to get an access_token. I also have "email", "offline_access", "openid", "profile" and "User.Read" permissions from "Microsoft Graph" - all permissions are granted by the admin on the API permissions screen.
The process I have been following up to now for testing is to run a signin workflow, selecting my API in the resources dropdown. I then copy the "Code" into a token request in postman, and then try both the "https://graph.microsoft.com/v1.0/me" and the "https://graph.microsoft.com/oidc/userinfo" endpoints with both the "id_token" and the "access_token". Both of these respond with "InvalidAuthenticationToken", message "Access token validation failure".
I had since noticed that my resources dropdown still only contains "read" and "openid" access rights, so I have been copying the "run userflow" url and inserting the scopes for "email", "offline_access", "openid" and "profile". I have also ensured that my call to the "token" endpoint contains these scopes. The response from the token endpoint only returns scopes "read offline_access openid", so "profile" and "email" are missing.
I don't know how to configure my app registration in B2C so that the "email" and "profile" scopes become available. Since "openid" appears in the resource drop down, I would expect "email" and "profile to turn up in there, but they don't. My token calls definitely show that the scopes that I need are not returned.
My workflow url looks as follows:
https://********.b2clogin.com/********.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signup_signin&client_id=********&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid%20user.read%20email%20profile%20offline_access%20https%3A%2F%2F********.onmicrosoft.com%2Ftestapp%2Fread&response_type=code&prompt=login
My token call looks as follows (using the code value from the workflow):
https://********.b2clogin.com/********/b2c_1_signup_signin/oauth2/v2.0/token?grant_type=authorization_code&client_id=********&response_type=code&redirect_uri=https://jwt.ms&response_mode=query&scope=https://********.onmicrosoft.com/apptest/read openid offline_access email profile&code=******CODE FROM WORKFLOW CALLBACK******
Token response is like:
{
"access_token": "******BIG LONG BASE64******",
"id_token": "******BIG LONG BASE64******",
"token_type": "Bearer",
"not_before": 1591607270,
"expires_in": 3600,
"expires_on": 1591610870,
"resource": "********",
"id_token_expires_in": 3600,
"profile_info": "******BASE64******",
"scope": "https://********.onmicrosoft.com/testapp/read offline_access openid",
"refresh_token": "******BASE64******",
"refresh_token_expires_in": 1209600
}
OIDC endpoint call like this:
https://graph.microsoft.com/oidc/userinfo
HAS HEADERS
Content-Type: application/json
Authorization: Bearer ********BASE64 from access_token********
Any help would be appreciated. i.e. how do I return additional scopes + how do I call the OIDC UserInfo endpoint.
Thanks.
I struggled with a similar issue a while back, where I wanted my API to use the access token to look up user info. Azure AD does not work in a standards compliant way:
Calling User Info requires a separate graph token
You have to use a token exchange request to get the graph token
Here are some resources of mine which I think are related and will hopefully give you enough info to resolve your problem. I think right now you are getting the error from Step 14 of the blog post.
Token Exchange + User Info Lookup C# Code
Blog Post on Azure AD Settings related to Graph / User Info

Google OAuth2 cannot get profile info

I'm using the https://accounts.google.com/o/oauth2/auth? endpoint to obtain the id_token.
The scopes are openid profile email.
The problem is that when I try to verify that id_token I get iss, azp, aud, sub, email, email_verified, iat, exp, jti. And as you can see there is no any profile info like given_name, family_name, picture.
The official doc says that it should contain profile info:
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
All permissions are granted.
UPDATE
So in case anyone ever needs it.
As Vladimir Serykh mentioned, to get profile info we need to hit the /userinfo endpoint. But this endpoint takes access_token as a Bearer token in a Authorization header, so you need obtain that too.
So basically we need to call the OAuth2 with the response_type='id_token token' query parameter. After that the responseUrl will contain access_token too.
Next you just need to call the https://openidconnect.googleapis.com/v1/userinfo endpoint with a Authorization header set to Bearer your_access_token. You will get a response wiht the profile info:
"sub": "user_id",
"name": "Name Lastname",
"given_name": "Name",
"family_name": "Lastname",
"picture": "pic_url",
"email": "example#gmail.com",
"email_verified": true,
"locale": "en"
Thank you again, Vladimir Serykh
It's not very clear how old the documentation is (by the link you provided) and is it relevant to your case.
I know that different Identity Providers can work slightly different. And I know cases when you should make a separate call with obtained ID token to /userinfo endpoint to get user info.
There is some different Google documentation for Google Identity Platform.
It has description of ID tokens.
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
Google ID Tokens may contain the following fields (known as claims):
Notice that it doesn't have always in Provided column. I think that it could be different for different APIs.
The same docs have section "Obtaining user profile information"
It explains where to get the /userinfo endpoint URL and how to call it. In the response you should receive the info you need.
My guess why it's not working in your case is that you are using /tokeninfo endpoint. It's not a part of OpenID Connect standard. It just validates the token and parses it (does the same job as https://jwt.io). And the original ID token doesn't contain that claims for some reason. Therefore /tokeninfo endpoint doesn't return them to you.
But according to Google's documentation and you should use /userinfo endpoint to obtain user info claims.
You can find description of this endpoint in OpenID Connect specification:
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
5.3 UserInfo endpoint
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication.

How I can get user info profile from Google API?

I have to implement signIn by google account.
I want to some suggestions.
I created project in google console. Added scope user info.profile
I'm following course instruction on internet, but I still cannot get userinfo ( email, name, age ... ).
Step:
Get code in url redirect_uri by client_id
Get token https://accounts.google.com/o/oauth2/token by code, client_id, client_secret ...
Try call to https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=accessToken to get info but only object
{
"azp": "155122683461-51hq2n932svo4ajbt98ic0q67m4tuj5o.apps.googleusercontent.com",
"aud": "155122683461-51hq2n932svo4ajbt98ic0q67m4tuj5o.apps.googleusercontent.com",
"sub": "108865940357700877124",
"scope": "https://www.googleapis.com/auth/userinfo.profile",
"exp": "1554094721",
"expires_in": "3326",
"access_type": "offline"
}
Can you guys give me an example :(
Thanks
people api
The infomration you are looking for can be found on people.get
GET https://people.googleapis.com/v1/{resourceName=people/*}
tip send Field mask with no space - person.emailAddresses,person.birthdays It reads form person info so the user will have had to fill in this information
However you will need to add the scopes to get the information you want
https://www.googleapis.com/auth/profile.emails.read
https://www.googleapis.com/auth/user.birthday.read
You can test it here Google Apis explorer
A node.js quick start for google people api can be found here
userinfo endpoint
The userinfo endpoint can also be used but it does not return the information you are looking for
You need to request the email scope to have seen email in the below response the user must grant you permission to see their email the following is standard response for profile scope only.
GET /oauth2/v2/userinfo HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer ya29.GlveBiwp4-NTPLU9VN3rn1enty11KOdQHGcyfZd1xJ1Ee9eGS2Pw2nJ7KDUBQPa-uT-AoKDQdoVigU6bruVIB1a3fiBu1n
response
{
"picture": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg",
"name": "Linda Lawton",
"family_name": "Lawton",
"locale": "en",
"gender": "female",
"link": "https://plus.google.com/+LindaLawton",
"given_name": "Linda",
"id": "117200475532672775346"
}
scopes
You should consult the node tutorial for how to work with scopes. Remember you will need to request access of the user again if you change the scope in your code.
const SCOPES = ['profile', 'email'];

How to get user role claims in postman from Azure active directory?

I have a few users added to my Azure AD account, I would like to get the roles and user information on these users by calling an Azure API from Postman in the form of claims. I tried calling the following URL with the parameters as :
https://login.microsoftonline.com/myTenantId/oauth2/token
Body:
grant_type : password,
client_id : client id,
client secret : client secret
I receive the access_token in the encoded format in the response, When I decode it on https://jwt.io/ I see the decoded data, but there's no user roles in the access_token.
I would like to get the user information and the roles in the form of claims in same response.
What approach would I need to take on this ?
If the role you mentioned refers to directory role, the answer is no, it won't be returned in the token. Just like juunas said, you can call graph api to get directory role information.
If the role you mentioned refers to application role, the answer is yes, you can get the role information in id_token. The prerequisite is that you have assigned some roles to the user.
Here are the detailed steps. You can also refer to this article.
edit the manifest to add some custom roles.
Something like this.
{
"allowedMemberTypes": [
"User"
],
"displayName": "Test",
"id": "c200e304-fff3-49f1-a4df-e406741ea680",
"isEnabled": true,
"description": "Bla bla",
"value": "test"
}
2.assign users to roles.
Click Enterprise applications->All applications->
Click your application->click Users and groups->click Add user
role assign.
Here is the request to get id_token.
You will find the roles in id_token.

User Authentication Failed on CreateEnvelope

I encountered a new issue today when I tried to send a request with my new production account and the integrator key, newly promoted to Live status.
The API login succeeded, and it returns my AccountID.
However, when I try to create an envelope with envelopesApi.CreateEnvelope API call, I received the following error.
I tested the code with my demo account and key, couple of days ago. It was working fine. I think it is related to the key, because the login request was succeed.
DocuSign.eSign.Client.ApiException: 'Error calling CreateEnvelope: {
"errorCode": "USER_AUTHENTICATION_FAILED",
"message": "One or both of Username and Password are invalid."
}
Please let me know if there is anything else I need to do.
Often when the USER_AUTHENTICATION_FAILED error is received and you are positive the correct user/pwd combo is being provided it's because of the wrong account endpoint being accessed.
You need to parse sub-domain of the baseUrl that is returned from the Login API (property is called base_uri if using OAuth2) and configure your api client with that sub-domain.
When testing in demo it's ok if you miss this step since all accounts are under the demo.docusign.net sub-domain, however in production there are multiple sub-domains (ie. www, na2, eu, etc) so you need to re-configure once right after authentication.
Example:
The response to the Authentication: login API looks like:
{
"loginAccounts": [
{
"accountId": "123456",
"baseUrl": "https://na2.docusign.net/restapi/v2/accounts/123456",
"email": "jdoe#example.com",
"isDefault": "true",
"name": "LoanCo",
"siteDescription": "",
"userId": "abcdff66-f92e-4e8e-ab81-8c46f140",
"userName": "John Doe"
}
]
}
Then instantiate a new API client using the sub-domain that was returned in the login response:
ApiClient apiClient = new ApiClient("https://na2.docusign.net");

Resources