如何获得Azure AD OAuth登录的登录用户配置文件? [英] How do I get the logged in users profile for Azure AD OAuth logins?

问题描述

继

Following on from JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, I'm trying to figure out the best endpoint to use, to get the logged in users details (eg, display name, email, etc.).

但是，我发现我可以使用2个潜在的端点

However, I noticed in there are 2 potential endpoints I can use

1. https://outlook.office.com/api/v2.0/me
2. https://graph.microsoft.com/v1.0/me

1. https://outlook.office.com/api/v2.0/me
2. https://graph.microsoft.com/v1.0/me

1，用于 bell for hapijs ，并记录在使用中Outlook REST API .但是，按钟声，我似乎无法弄清楚scope我需要使其在OAuth 2.0上正常工作.我尝试了openid，email，profile，Mail.Read(仅尝试此操作，因为我在某些文档中已经看到过)和User.Read，但前3个作用域并没有给access_token根据 https://outlook.office.com/api/v2.0/me和Authorization: 'Bearer [access_token].

1, is used in bell for hapijs and is documented in Use the Outlook REST API. However, in bell, I can't seem to figure out the scope I need to get it working for OAuth 2.0. I've tried openid, email, profile, Mail.Read (only trying this because I've seen it in some docs), and User.Read, but the first 3 scopes don't give back a access_token as per JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, and the last 2 (Mail.Read, and User.Read) give me an access_token, but they give me authentication issues when calling https://outlook.office.com/api/v2.0/me with Authorization: 'Bearer [access_token].

我在

I found the endpoint for 2 at Microsoft Graph: Get user and it seems to work with the User.Read scope. I get the following response using the access_token returned:

{
  '@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users/$entity',
  id: '60...',
  userPrincipalName: 'some@email.com',
  businessPhones: [],
  displayName: null,
  jobTitle: null,
  mail: null,
  mobilePhone: null,
  officeLocation: null,
  preferredLanguage: null
}

此处响应的问题是没有明确的电子邮件字段，但我想我可以

The problem with the response here is that there isn't an explicit email field, but I guess I can just use userPrincipalName (the userPrincipalName is also used for the bell Azure AD provider)

所以我的问题是我应该使用哪个端点?还是在其他地方?

So my question is which endpoint am I supposed to use? Or is there another one somewhere else?

推荐答案

您绝对应该为此使用Microsoft Graph，并且/v1.0/me端点是用于检索用户的配置文件信息的正确URI.

You should absolutely use Microsoft Graph for this and the /v1.0/me endpoint is the correct URI for retrieving the user's profile information.

关于查找其电子邮件地址，您可以选择一些潜在属性:

As for finding their email address, there are a few potential properties you could pull:

• mail:这是用户的默认SMTP地址.如果显示为空，则表明未填充该值.通常，这是由Exchange自动填充的，但是根据租户的情况，可能需要手动填充.

• mail: This is the default SMTP address for the user. If it is showing up as null, this suggests the value wasn't populated. Normally this is populated automatically by Exchange but depending on the tenant it may need to be manually populated.

proxyAddresses:这是与用户关联的地址的数组.通常，仅在需要显示用户的备用电子邮件别名(即name@comp.com和firstname.lastname@comp.com)时才使用此属性.

proxyAddresses: This is an array of addresses associated with the user. Typically you only use this property when you need to surface a user's alternative email aliases (i.e. name@comp.com & firstname.lastname@comp.com).

如果您只想查找非常基本的信息(名称和电子邮件)，则可以使用OpenID Connect并完全跳过Microsoft Graph调用. OpenID Connect支持将用户的个人资料作为个人资料的一部分返回.

If you are only looking for very basic information (name and email) you be able to use OpenID Connect and skip the Microsoft Graph call entirely. OpenID Connect supports returning the user's profile as part of the profile.

要使用OpenID Connect，您需要对授权请求进行几处更改(即，对https://login.microsoftonline.com/common/oauth2/v2.0/authorize的初始调用):

To use OpenID Connect you need to make a couple of changes to your Authorization request (i.e. the initial call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

1. response_type必须包含id_token. (例如&response_type=id_token+code)
2. scope必须包含openid，profile和email(例如&scope=openid profile email user.read).

1. The response_type must include id_token. (eg. &response_type=id_token+code)
2. The scope must include openid, profile, and email (eg. &scope=openid profile email user.read).

启用后，您将在访问令牌响应中收到名为id_token的其他属性.此属性包含一个JSON Web令牌(JWT)，您可以对其解码以获取用户的个人资料信息:

When enabled, you will receive an additional property in your Access Token response named id_token. This property holds a JSON Web Token (JWT) that you can decode an obtain the user's profile information:

作为说明，我使用上面的设置从测试的Azure AD实例请求令牌.我拿了那个令牌并对其进行了解码(我使用了 http://jwt.ms/但JWT解码器可以工作)获取OpenID Connect配置文件:

As an illustration, I used the settings above to request a token from my test Azure AD instance. I took that token and decoded it (I used http://jwt.ms/ but JWT decoder would work) to get the OpenID Connect profile:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "{masked}"
}.{
  "aud": "{masked}",
  "iss": "https://login.microsoftonline.com/{masked}/v2.0",
  "iat": 1521825998,
  "nbf": 1521825998,
  "exp": 1521829898,
  "name": "Marc LaFleur",
  "nonce": "a3f6250a-713f-4098-98c4-8586b0ec084d",
  "oid": "f3cf77fe-17b6-4bb6-8055-6aa084df7d66",
  "preferred_username": "marc@officedev.ninja",
  "sub": "{masked}",
  "tid": "{masked}",
  "uti": "{masked}",
  "ver": "2.0"
}.[Signature]

这篇关于如何获得Azure AD OAuth登录的登录用户配置文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！