如何获取 Azure AD OAuth 登录的登录用户配置文件? [英] How do I get the logged in users profile for Azure AD OAuth logins?

问题描述

从 用于 Azure AD v2 登录的 JavaScript OAuth2 流程没有提供 access_token，我正在尝试找出要使用的最佳端点，以获取登录用户的详细信息(例如，显示名称、电子邮件、等等).

Following on from JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, I'm trying to figure out the best endpoint to use, to get the logged in users details (eg, display name, email, etc.).

但是，我注意到我可以使用 2 个潜在的端点

However, I noticed in there are 2 potential endpoints I can use

1. https://outlook.office.com/api/v2.0/me
2. https://graph.microsoft.com/v1.0/me

1，用于 bell forhapijs 并记录在 使用Outlook REST API.但是，在贝尔，我似乎无法弄清楚我需要让它为 OAuth 2.0 工作的 scope.我已经尝试过 openid、email、profile、Mail.Read(只是因为我见过它在一些文档中)和 User.Read，但前 3 个作用域不会按照 用于 Azure AD v2 登录的 JavaScript OAuth2 流不提供 access_token，最后 2 个(Mail.Read 和 User.Read)给了我一个 access_token，但他们给了我身份验证调用 https://outlook.office.com/api/v2.0/me 时出现问题 with Authorization: 'Bearer [access_token].

1, is used in bell for hapijs and is documented in Use the Outlook REST API. However, in bell, I can't seem to figure out the scope I need to get it working for OAuth 2.0. I've tried openid, email, profile, Mail.Read (only trying this because I've seen it in some docs), and User.Read, but the first 3 scopes don't give back a access_token as per JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token, and the last 2 (Mail.Read, and User.Read) give me an access_token, but they give me authentication issues when calling https://outlook.office.com/api/v2.0/me with Authorization: 'Bearer [access_token].

我在 Microsoft Graph: Get user 它似乎适用于 User.Read 范围.我使用返回的 access_token 得到以下响应:

I found the endpoint for 2 at Microsoft Graph: Get user and it seems to work with the User.Read scope. I get the following response using the access_token returned:

{
  '@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users/$entity',
  id: '60...',
  userPrincipalName: 'some@email.com',
  businessPhones: [],
  displayName: null,
  jobTitle: null,
  mail: null,
  mobilePhone: null,
  officeLocation: null,
  preferredLanguage: null
}

这里回复的问题是没有明确的电子邮件字段，但我想我可以 只使用 userPrincipalName (userPrincipalName也用于 bell Azure AD 提供程序)

The problem with the response here is that there isn't an explicit email field, but I guess I can just use userPrincipalName (the userPrincipalName is also used for the bell Azure AD provider)

所以我的问题是我应该使用哪个端点?还是在其他地方还有一个?

So my question is which endpoint am I supposed to use? Or is there another one somewhere else?

推荐答案

您绝对应该为此使用 Microsoft Graph，并且 /v1.0/me 端点是检索用户配置文件的正确 URI信息.

You should absolutely use Microsoft Graph for this and the /v1.0/me endpoint is the correct URI for retrieving the user's profile information.

至于查找他们的电子邮件地址，您可以提取一些潜在的属性:

As for finding their email address, there are a few potential properties you could pull:

• mail:这是用户的默认 SMTP 地址.如果它显示为 null，则表明该值未填充.通常这是由 Exchange 自动填充的，但根据租户的不同，它可能需要手动填充.

• mail: This is the default SMTP address for the user. If it is showing up as null, this suggests the value wasn't populated. Normally this is populated automatically by Exchange but depending on the tenant it may need to be manually populated.

proxyAddresses:这是与用户关联的地址数组.通常，您仅在需要显示用户的备用电子邮件别名(即 name@comp.com 和 firstname.lastname@comp.com)时才使用此属性.

proxyAddresses: This is an array of addresses associated with the user. Typically you only use this property when you need to surface a user's alternative email aliases (i.e. name@comp.com & firstname.lastname@comp.com).

如果您只寻找非常基本的信息(姓名和电子邮件)，您可以使用 OpenID Connect 并完全跳过 Microsoft Graph 调用.OpenID Connect 支持将用户的配置文件作为配置文件的一部分返回.

If you are only looking for very basic information (name and email) you be able to use OpenID Connect and skip the Microsoft Graph call entirely. OpenID Connect supports returning the user's profile as part of the profile.

要使用 OpenID Connect，您需要对授权请求进行一些更改(即对 https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

To use OpenID Connect you need to make a couple of changes to your Authorization request (i.e. the initial call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize):

1. response_type 必须包含 id_token.(例如.&response_type=id_token+code)
2. scope 必须包含 openid、profile 和 email(例如 &scope=openid 个人资料电子邮件 user.read).

1. The response_type must include id_token. (eg. &response_type=id_token+code)
2. The scope must include openid, profile, and email (eg. &scope=openid profile email user.read).

启用后，您将在访问令牌响应中收到一个名为 id_token 的附加属性.此属性包含一个 JSON Web 令牌 (JWT)，您可以对其进行解码并获取用户的个人资料信息:

When enabled, you will receive an additional property in your Access Token response named id_token. This property holds a JSON Web Token (JWT) that you can decode an obtain the user's profile information:

作为说明，我使用上述设置从我的测试 Azure AD 实例请求令牌.我拿了那个令牌并对其进行了解码(我使用了 http://jwt.ms/ 但 JWT 解码器可以工作)获取 OpenID Connect 配置文件:

As an illustration, I used the settings above to request a token from my test Azure AD instance. I took that token and decoded it (I used http://jwt.ms/ but JWT decoder would work) to get the OpenID Connect profile:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "{masked}"
}.{
  "aud": "{masked}",
  "iss": "https://login.microsoftonline.com/{masked}/v2.0",
  "iat": 1521825998,
  "nbf": 1521825998,
  "exp": 1521829898,
  "name": "Marc LaFleur",
  "nonce": "a3f6250a-713f-4098-98c4-8586b0ec084d",
  "oid": "f3cf77fe-17b6-4bb6-8055-6aa084df7d66",
  "preferred_username": "marc@officedev.ninja",
  "sub": "{masked}",
  "tid": "{masked}",
  "uti": "{masked}",
  "ver": "2.0"
}.[Signature]

这篇关于如何获取 Azure AD OAuth 登录的登录用户配置文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！