The OneLogin OpenID Connect Scopes Documentation for the profile scope shows that there is a picture available but with this disclaimer:
Note, these claims are returned if OneLogin has the information available.
In testing, I never get picture back when testing with a user that has a profile photo set. What I get has these attributes only:
{
"id_token": "",
"token_type": "Bearer",
"scope": "openid profile",
"profile": {
"sub": "",
"email": "",
"preferred_username": "",
"name": "",
"updated_at": 1614904145,
"given_name": "",
"family_name": "",
"sid": ""
},
"expires_at": 1615761073
}
Any tips on how to get the additional fields from OneLogin would be appreciated. Thx!
I reached out to OneLogin's dev support and I got a response in a few hours. I have verified that this works, here it is:
You should add a parameter to your OIDC app and map it to the field "Profile Picture" and then include the params scope in your ODIC call. (fro more details on scopes see https://developers.onelogin.com/openid-connect/scopes)
Note - what you get back is the URL of an image and it is not a binary blob of the actual photo.
Related
I have a requirement to check if logged in user is tenant admin or not using MS graph api. I tried below https://graph.microsoft.com/v1.0/me/ and get below response and there is nothing related to roles in below response. How to determine whether the below "id" is tenant Admin or not?
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "",
"givenName": "",
"jobTitle": null,
"mail": "",
"mobilePhone": null,
"officeLocation": "",
"preferredLanguage": ,
"surname": "",
"userPrincipalName": "",
"id": "Guid"
}
You can use Get https://graph.microsoft.com/v1.0/me/memberOf to implement your requirement.
If the first item of the value in the api response data is Company Administrator, the logged in user is admin. If not, the user is not admin (shown as below screenshot).
I have registered app in Azure. I https://graph.microsoft.com/v1.0/users to get userinfo.
Is there any option to get all info about user? And see what data can I get in JSON reponse?
Now when I use https://graph.microsoft.com/v1.0/users I get only couple information like:
{
"aio": "kjaldjsfhkjsadhflkdhsafkjadhsfa",
"amr": "[\"pwd\"]",
"family_name": "Picasso",
"given_name": "Pablo",
"ipaddr": "11.12.113.144",
"name": "Pablo Picasso",
"oid": "234234-2343-4343-43434-2342342",
"onprem_sid": "234234234-23-423-4-234-2-34-234",
"sub": "234233q45rtferfwverfwgw45grfg45g45",
"tid": "sdfkjgasdhjfgasjdhfgashjdfgasdhjf",
"unique_name": "pablo.picasso#company.com",
"upn": "pablo.picasso#company.com",
"uti": "kajshdfkljahsdfkjahsdkjfahsd",
"ver": "1.0"
}
Actually I'm looking for username. We can login to Windows using shortcut or email. So if user name is Pablo Picasso user can login with username PaPi. And I'm looking for that.
Considering, you already know how to get token. Now see below example
If you want to fetch employeeId or identities or officeLocation using Microsoft Graph API.
try following way:
Request:
https://graph.microsoft.com/v1.0/users?$select=employeeId ,identities ,officeLocation
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(employeeId,identities,officeLocation)",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/users?$select=employeeId+%2cidentities+%2cofficeLocation&$skiptoken=X%27445370740",
"value": [
{
"employeeId": 0200010000001C3A54696E614068616E,
"officeLocation": Redmond, Usa,
"identities": [
{
"signInType": "userPrincipalName",
"issuer": "someEmail.onmicrosoft.com",
"issuerAssignedId": "tenant.onmicrosoft.com"
}
]
}
}
See the screen shot below:
Please refer to Official document if you need more details.
Thanks Md Farid Uddin Kiron
My workaround with all fields (without mailboxSettings because get error 403 access denied)
https://graph.microsoft.com/v1.0/me?$select=aboutMe,accountEnabled,ageGroup,assignedLicenses,assignedPlans,birthday,businessPhones,city,companyName,consentProvidedForMinor,country,createdDateTime,creationType,deletedDateTime,department,displayName,employeeId,faxNumber,givenName,hireDate,id,identities,imAddresses,mailNickname,mobilePhone,mySite,officeLocation,onPremisesDistinguishedName,onPremisesDomainName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesProvisioningErrors,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,otherMails,passwordPolicies,passwordProfile,pastProjects,postalCode,preferredDataLocation,preferredLanguage,preferredName,provisionedPlans,proxyAddresses,refreshTokensValidFromDateTime,responsibilities,schools,showInAddressList,skills,signInSessionsValidFromDateTime,state,streetAddress,surname,usageLocation,userPrincipalName,userType,interests,isResourceAccount,jobTitle,lastPasswordChangeDateTime,legalAgeGroupClassification,licenseAssignmentStates,mail
I'm using the Microsoft Graph Users API to validate a list of user names or email addresses against our ActiveDirectory. The name search:
https://graph.microsoft.com/v1.0/me/people/?$search=john.smith
returns additional data such as officeLocation and jobTitle. But if I use the email search:
https://graph.microsoft.com/v1.0/users/john.smith#company.com
these additional fields are empty. I've enabled these API permissions in Azure:
People.Read
User.Read
User.ReadBasic.All
email
Do I need additional permissions to get the same data?
Update: I tried this in https://developer.microsoft.com/en-us/graph/graph-explorer as suggested below and it works, but Graph Explorer comes with these permissions by default which can't be disabled:
Calendars.ReadWrite
Contacts.ReadWrite
Directory.Read.All
Files.ReadWrite.All
Mail.ReadWrite
Notes.ReadWrite.All
openid
People.Read
Sites.ReadWrite.All
Tasks.ReadWrite
User.ReadBasic.All
User.ReadWrite
Update 2: I'm using Python 3.7 so I borrowed device_flow_session() from https://github.com/microsoftgraph/python-sample-console-app/blob/master/helpers.py#L25. The data I get back from https://graph.microsoft.com/me/people/?$search=John.Smith looks like:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users("XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")/people",
"value": [{
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"displayName": "John Smith",
"givenName": "John",
"surname": "Smith",
"birthday": "",
"personNotes": "",
"isFavorite": False,
"jobTitle": "Software Engineer",
"companyName": "Company",
"yomiCompany": "",
"department": "Fish",
"officeLocation": "London",
"profession": "",
"userPrincipalName": "John.Smith#company.com",
"imAddress": "sip:John.Smith#company.com",
"scoredEmailAddresses": [{
"address": "John.Smith#company.com",
"relevanceScore": -6.0991198031917175,
"selectionLikelihood": "notSpecified"
}
],
"phones": [],
"postalAddresses": [],
"websites": [],
"personType": {
"class": "Person",
"subclass": "OrganizationUser"
}
}
]
}
Whereas the data from https://graph.microsoft.com/users/John.Smith#company.com is:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "John Smith",
"givenName": "John",
"jobTitle": None,
"mail": "John.Smith#company.com",
"mobilePhone": None,
"officeLocation": None,
"preferredLanguage": None,
"surname": "Smith",
"userPrincipalName": "John.Smith#company.com",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
Based on my test, I found that the information obtained by these two APIs came from different places.
"officeLocation" returned from /me/people seems to be maintained in SharePoint. You can sign in https://apc.delve.office.com/?u=3df5295a-e4b1-46fe-8969-e715ccd11077&v=editprofile to check it.
"officeLocation" returned from /me or /users/{id | userPrincipalName} is maintained in Azure AD. So you can check it in Azure AD -> Users.
After I update the "Office" in Azure AD, I query with the two endpoints. But they gave me two different result. One (/me/people) is old and the other one (/users/{id | userPrincipalName}) is new. Maybe this will take some time to synchronize. Or maybe they won't sync.
I also test it in Microsoft Graph Explorer. And the "officeLocation"s are different as well. So I'm not sure why Microsoft Graph Explorer works fine for you. But you can dig it along with my ideas.
I hope my findings will be helpful to you.
Each "service" in the Graph (Active Directory, Exchange, SharePoint, etc.) make decisions on the data to return by default in calls. These decisions are made to best suit Microsoft in running the service, not necessarily what callers need. ;) I suggest adding the $select parameter to specify the attributes you require.
From https://learn.microsoft.com/en-us/graph/query-parameters#select-parameter:
Important: In general, we recommend that you use $select to limit the
properties returned by a query to those needed by your app. This is
especially true of queries that might potentially return a large
result set. Limiting the properties returned in each row will reduce
network load and help improve your app's performance.
In v1.0, some Azure AD resources that derive from directoryObject,
like user and group, return a limited, default subset of properties on
reads. For these resources, you must use $select to return properties
outside of the default set.
During the creation of a batch of users in Azure AD by using the Graph API version 1.0 I receive the followiing error message:
Property has an invalid value
As you can see, there is not property name in the message, so I can't understand the real problem. What I can say is that those users have no particular conditions among the all others successfully created.
Any ideas?
Update 1:
As people asked, below are the post data. Since there is sensitive data, I have to changed names and som other personal data:
POST https://graph.microsoft.com/v1.0/users
And the JSON payload:
{
"accountEnabled": false,
"country": "BR",
"displayName": "Jane Sagan",
"givenName": "Jane",
"mailNickname": "jane.sagan",
"otherMails": [
"jane.sagan.#gmail.com"
],
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "J#n3Sa8aN"
},
"surname": "Sagan",
"usageLocation": "BR",
"userPrincipalName": "jane.sagan#university.br",
"userType": "Member"
}
The property "otherMails" doesn't support the format "jane.sagan.#gmail.com".
Username cannot end with '.' in O365. You can have a try (create a user whose username ends with '.') in O365 portal to verify it.
I am using GitLab API v3 to do some operations on my private installation. Using private_token in GET URL is working fine. e.g.
GET http://git.example.com/api/v3/projects?=private_token=xyz123
But in order to make this possible, you need a private_token. There is one sure way to get it - from your account settings. But I want my users to use their email id/ login id and password to retrieve the private key and use it from there for rest of the operations.
I used following GET url and it is doing nothing for me:
GET http://git.example.com/api/v3/session?login=xyzuser&password=xyzpassword
Ideally as per GitLab documentation, I should get a JSON as follows -
{
"id": 1,
"username": "john_smith",
"email": "john#example.com",
"name": "John Smith",
"private_token": "dd34asd13as",
"blocked": false,
"created_at": "2012-05-23T08:00:58Z",
"bio": null,
"skype": "",
"linkedin": "",
"twitter": "",
"dark_scheme": false,
"theme_id": 1,
"is_admin": false,
"can_create_group" : true,
"can_create_team" : true,
"can_create_project" : true
}
If I get this, I can get private_token and work from there.
What am I doing wrong?
You need to POST the data as stated in the api (http://api.gitlab.org/session.html).
Be aware that if you do this action on a http port (instead of using https) that the password is send in plain text to the server.