This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 39%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I have a requirement to authenticate an Liferay DXP version 7.2 Application with Azure B2C.
I have configured my Azure B2C application and was able to authenticate and retrieve access-token. But I am not sure which endpoint should I provide to retrieve User Information , basically get UserInfoResponse response.
I have tried multiple endpoint URLs -
Request - https://login.microsoftonline.com/common/openid/userinfo
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
Response - BLANK
Request - https://graph.microsoft.com/oidc/userinfo
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
Response - "error" :{ "code": "InvalidAuthenticationToken",
"message": "Access token validation failure."... }
Request - https://graph.microsoft.com/v1.0/me
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
Response - <Could not get response>
Below are the details of my authorization Request -
Response - state and code
Then I passed that code in token API -
Request - curl --location --request GET https://azurewithliferay.b2clogin.com/azurewithliferay.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1\_liferay&grant_type=authorization_code&client_id=85f511b...&nonce=defaultNonce&scope=openid%\[application-client-id\]%20profile%20email&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fc%2Fportal%2Flogin%2Fopenidconnect&code=\[code from authorize request]&client_secret=[app secret key]
Response -
{
"access_token": "eyJ0eXAiOiJKV1QiL.....",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciO.....",
"token_type": "Bearer",
"not_before": 1603306931,
"expires_in": 3600,
"expires_on": 1603310531,
"resource": "[application client id]",
"id_token_expires_in": 3600,
"profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aW.....",
"scope": "/ openid"
}
On passing this access code I can get information from https://jwt.ms/.
But since my application framework liferay needs user information response by requesting UserInformationEndPoint with access token and expected response as com.nimbusds.openid.connect.sdk.UserInfoResponse.
Hello @AASTHA SAXENA · Welcome to QnA platform and thanks for your question.
The correct endpoint is https://graph.microsoft.com/v1.0/me but it requires at least the https://graph.microsoft.com/user.read permission which should be passed as scope value and B2C only uses offline_access and openid delegated permissions and not the user.read permission as mentioned in the screenshot below:
You need to use standard Azure AD OAuth flows in your B2C tenant for this purpose. Please refer to https://learn.microsoft.com/en-us/graph/auth-v2-service for more details.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks @AmanpreetSingh-MSFT . I will try creating Azure AD OAuth flow with the steps u suggested.
Hi @AmanpreetSingh-MSFT , I tried the solution you provided.
Added permission to the app for - https://graph.microsoft.com/User.Read.All and added the same in the scope as well.
In openId connect provider configuration -
User Information endpoint =https://graph.microsoft.com/v2.0/me
Now the problem is I am not able to get access-token with just user.read.all scope.
when my scope = openid 85f511bc-51a0-4588-85cc-6fc6d15075fd https://graph.microsoft.com/User.Read.All then I am getting error as - http://localhost:8080/c/portal/login/openidconnect?error=invalid_request&error_description=AADB2C90146: The scope 'openid 85f511bc-51a0-4588-85cc-6fc6d15075fd https://graph.microsoft.com/User.Read.All' provided in request specifies more than one resource for an access token, which is not supported. Correlation ID: 35bcbd25-7127-4f54-80a0-0f5f04dc460c Timestamp: 2020-10-26 01:56:41Z &state=1YwNRv1vISNe2E9JH32hzw3X56F8hP46JAulLIKuTvw
When my scope = openid https://graph.microsoft.com/User.Read.All
then I get error as - Unable to parse tokens response from https://azurewithliferay.b2clogin.com/azurewithliferay.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_liferay: Missing JSON object member with key "access_token"
When my scope = openid 85f511bc-51a0-4588-85cc-6fc6d15075fd
then I get error as - unable to get user information object
Request you to help in getting both access-token and user information object.
Hi @AASTHA SAXENA · You are still using oauth with Azure AD B2C as per the token endpoint in the error > https://azurewithliferay.b2clogin.com/azurewithliferay.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_liferay
For standard Azure AD oauth, you need to use https://login.microsoftonline.com/azurewithliferay.onmicrosoft.com/oauth2/v2.0/token endpoint. As of now the above method doesn't support Graph Scopes.
Hi @AASTHA SAXENA · Have you had a chance to test this out. Feel free to tag me in your reply if you have any question or need any further assistance.
Hi @AmanpreetSingh-MSFT I need to customize login page as per my application along with add other identity providers like facebook. And these features are not available in standard Azure AD oauth. That's why I need to use Azure AD BC oauth only.
But as u confirmed currently it doesnt support Graph scopes.
So, I guess I can not accomplish all my requirements with Azure at this moment.
Hello @AASTHA SAXENA · Yes, this is not possible with B2C user flow as of now. You can post a feedback regarding this feature at our feedback portal which is monitored by the product teams.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 34%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
This is really inconvenient. Why is this not a feature yes?( and is the proper AD path better to use; should it be used?. Let me ask it in a different way.
If we go down the AD path instead of expecting this to be available in azure B2C then is it possible to do what it is that we are asking for.
Scoping a logged in user to their own credentials so they can make changes to their own claims?
I can imagine there is a way around this by building a proxy and if that is the route we have to go down then I am ok with that. But at least explain it and say it so that we know. If someone is doing a login via azure b2c and msal is it possible to setup graph api access through AD and still use the logged in user from Azure B2C to access those graph api's?
If this is possible can someone right this up in documentation on how.