How do I get the logged in users profile for Azure AD OAuth logins?

Question

Following on from JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, I'm trying to figure out the best endpoint to use, to get the logged in users details (eg, display name, email, etc.).

However, I noticed in there are 2 potential endpoints I can use

1. https://outlook.office.com/api/v2.0/me
2. https://graph.microsoft.com/v1.0/me

1, is used in bell for hapijs and is documented in Use the Outlook REST API. However, in bell, I can't seem to figure out the scope I need to get it working for OAuth 2.0. I've tried openid, email, profile, Mail.Read (only trying this because I've seen it in some docs), and User.Read, but the first 3 scopes don't give back a access_token as per JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, and the last 2 (Mail.Read, and User.Read) give me an access_token, but they give me authentication issues when calling https://outlook.office.com/api/v2.0/me with Authorization: 'Bearer [access_token].

I found the endpoint for 2 at Microsoft Graph: Get user and it seems to work with the User.Read scope. I get the following response using the access_token returned:

{
  '@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users/$entity',
  id: '60...',
  userPrincipalName: 'some@email.com',
  businessPhones: [],
  displayName: null,
  jobTitle: null,
  mail: null,
  mobilePhone: null,
  officeLocation: null,
  preferredLanguage: null
}

The problem with the response here is that there isn't an explicit email field, but I guess I can just use userPrincipalName (the userPrincipalName is also used for the bell Azure AD provider)

So my question is which endpoint am I supposed to use? Or is there another one somewhere else?

Answer 1

You should absolutely use Microsoft Graph for this and the /v1.0/me endpoint is the correct URI for retrieving the user's profile information.

As for finding their email address, there are a few potential properties you could pull:

• mail: This is the default SMTP address for the user. If it is showing up as null, this suggests the value wasn't populated. Normally this is populated automatically by Exchange but depending on the tenant it may need to be manually populated.

• proxyAddresses: This is an array of addresses associated with the user. Typically you only use this property when you need to surface a user's alternative email aliases (i.e. name@comp.com & firstname.lastname@comp.com).

If you are only looking for very basic information (name and email) you be able to use OpenID Connect and skip the Microsoft Graph call entirely. OpenID Connect supports returning the user's profile as part of the profile.

To use OpenID Connect you need to make a couple of changes to your Authorization request (i.e. the initial call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

1. The response_type must include id_token. (eg. &response_type=id_token+code)
2. The scope must include openid, profile, and email (eg. &scope=openid profile email user.read).

When enabled, you will receive an additional property in your Access Token response named id_token. This property holds a JSON Web Token (JWT) that you can decode an obtain the user's profile information:

As an illustration, I used the settings above to request a token from my test Azure AD instance. I took that token and decoded it (I used http://jwt.ms/ but JWT decoder would work) to get the OpenID Connect profile:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "{masked}"
}.{
  "aud": "{masked}",
  "iss": "https://login.microsoftonline.com/{masked}/v2.0",
  "iat": 1521825998,
  "nbf": 1521825998,
  "exp": 1521829898,
  "name": "Marc LaFleur",
  "nonce": "a3f6250a-713f-4098-98c4-8586b0ec084d",
  "oid": "f3cf77fe-17b6-4bb6-8055-6aa084df7d66",
  "preferred_username": "marc@officedev.ninja",
  "sub": "{masked}",
  "tid": "{masked}",
  "uti": "{masked}",
  "ver": "2.0"
}.[Signature]

Answer 2

The ID Token and Access Token can return attributes like display name, email, etc.

Sample ID Token.

See "Select Application claims" here: Azure Active Directory B2C: Built-in policies

Select Application claims. Choose claims you want returned in the authorization tokens sent back to your application after a successful sign-up or sign-in experience. For example, select Display Name, Identity Provider, Postal Code, User is new and User's Object ID.