Skip to content Skip to sidebar Skip to footer

How Do I Get The Logged In Users Profile For Azure Ad Oauth Logins?

Following on from JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, I'm trying to figure out the best endpoint to use, to get the logged in users details

Solution 1:

You should absolutely use Microsoft Graph for this and the /v1.0/me endpoint is the correct URI for retrieving the user's profile information.

As for finding their email address, there are a few potential properties you could pull:

  • mail: This is the default SMTP address for the user. If it is showing up as null, this suggests the value wasn't populated. Normally this is populated automatically by Exchange but depending on the tenant it may need to be manually populated.

  • proxyAddresses: This is an array of addresses associated with the user. Typically you only use this property when you need to surface a user's alternative email aliases (i.e. name@comp.com & firstname.lastname@comp.com).

If you are only looking for very basic information (name and email) you be able to use OpenID Connect and skip the Microsoft Graph call entirely. OpenID Connect supports returning the user's profile as part of the profile.

To use OpenID Connect you need to make a couple of changes to your Authorization request (i.e. the initial call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

  1. The response_type must include id_token. (eg. &response_type=id_token+code)
  2. The scope must include openid, profile, and email (eg. &scope=openid profile email user.read).

When enabled, you will receive an additional property in your Access Token response named id_token. This property holds a JSON Web Token (JWT) that you can decode an obtain the user's profile information:

As an illustration, I used the settings above to request a token from my test Azure AD instance. I took that token and decoded it (I used http://jwt.ms/ but JWT decoder would work) to get the OpenID Connect profile:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "{masked}"
}.{
  "aud": "{masked}",
  "iss": "https://login.microsoftonline.com/{masked}/v2.0",
  "iat": 1521825998,
  "nbf": 1521825998,
  "exp": 1521829898,
  "name": "Marc LaFleur",
  "nonce": "a3f6250a-713f-4098-98c4-8586b0ec084d",
  "oid": "f3cf77fe-17b6-4bb6-8055-6aa084df7d66",
  "preferred_username": "marc@officedev.ninja",
  "sub": "{masked}",
  "tid": "{masked}",
  "uti": "{masked}",
  "ver": "2.0"
}.[Signature]

Solution 2:

The ID Token and Access Token can return attributes like display name, email, etc.

Sample ID Token.

See "Select Application claims" here: Azure Active Directory B2C: Built-in policies

Select Application claims. Choose claims you want returned in the authorization tokens sent back to your application after a successful sign-up or sign-in experience. For example, select Display Name, Identity Provider, Postal Code, User is new and User's Object ID. select application claims screenshot

Post a Comment for "How Do I Get The Logged In Users Profile For Azure Ad Oauth Logins?"