question

ChrisS-5799 avatar image
0 Votes"
ChrisS-5799 asked ·

Azure B2C OAuth 2.0 retrieval of claims

I have Azure B2C setup and have a requirement to use OAuth 2.0 to authenticate my application and retrieve user info.
I can authenticate but have no idea how to get the claims. I can not find any endpoint listed for doing so.

Thanks,

Please see Ian's post below regarding this issue.

Thanks,

azure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ChrisS-5799 you need to use https://graph.microsoft.com/v1.0/me, which returns below information about authenticated user:

6832-capture.jpg

If the required claims are not listed here, you can use https://graph.microsoft.com/beta/me, which will return a lot more user attributes. However, if you would like to get specific set of claims, you can append the above urls with ?$select=attribute_name. For example, https://graph.microsoft.com/v1.0/me?$select=givenName,surname will only return firstname and surname of the user.

In order to test it go to https://developer.microsoft.com/en-us/graph/graph-explorer# and sign in by clicking on Sign in with Microsoft button on the left side and make the above calls.


Please "Accept as answer" wherever the information provided helps you to help others in the community.


capture.jpg (28.2 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ianskilljarcom-4557 avatar image
0 Votes"
ianskilljarcom-4557 answered ·

Hi @amanpreetsingh-msft!

My name is Ian and I'm working with Chris on implementing the OIDC/OAuth2 SSO connection between Skilljar (relying party) and Universal Avionics (Azure B2C / IdP) via the OAuth2 authorization code flow.

We've gotten to a point where we've been able to successfully receive an access token, but we're currently blocked when trying to retrieve user details. We tried several different UserInfo endpoints, with the latest attempt being: https://graph.microsoft.com/beta/me.

This is the response we get back:

{u'error': {u'code': u'InvalidAuthenticationToken', u'message': u'Access token validation failure.', u'innerError': {u'date': u'2020-04-02T22:19:27', u'request-id': u'ddc15e61-2944-4d4f-819c-61573f465620'}}}

We (Skilljar) do not yet have full support for OIDC, so we can't leverage the id_token for user claims, which is why we need to interface with a UserInfo endpoint.

We've also been unsuccessful in finding helpful documentation around this.. For reference, here's all the configuration details:

client_id = b2e65cba-4eb2-4520-8808-d1ef4627469d

client_secret = [omitted]

Auth URL = https://[omitted].b2clogin.com/[omitted].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SkillJarSignin

Token URL = https://[omitted].b2clogin.com/[omitted].onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_SkillJarSignin

UserInfo URL = https://graph.microsoft.com/beta/me

scope = b2e65cba-4eb2-4520-8808-d1ef4627469d profile email openid

(tenant id's have been omitted with [omitted])

Can you help us determine if there's something we're missing? Does Azure B2C's OIDC/OAuth2 support a native UserInfo endpoint?
We've been trying out the graph endpoints, but no luck..

Thank you!
Ian









· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft! I'm working with Ian. I hope you can help us figure out what we are missing.
Thanks,. Chris.

0 Votes 0 ·

Azure AD B2C doesn't support native UserInfo endpoint.

If you decode the token at https://jwt.ms, do you see graph.microsoft.com in the audience claim? I do not see the scope parameter in the request parameters that you have shared.

0 Votes 0 ·
ianskilljarcom-4557 avatar image
0 Votes"
ianskilljarcom-4557 answered ·

Hi @amanpreetsingh-msft!

Thank you for the response, just to clarify, this is the scope values we're using: scope = b2e65cba-4eb2-4520-8808-d1ef4627469d profile email openid.

Since my last comment, we've been able to add support for validating and parsing the id_token (since Azure AD B2C doesn't support a native UserInfo, so we can skip that now!).

What we're running into is validating the id_token signature. We're a client specific set up, where we securely store the client_secret in our backend, and are using it to validate the id_token signature. We also expect it to be signed with HS256.

We've already asked Chris to check, but can you confirm if Azure B2C has support for signing the id_token with the HS256 algo, and if so, where in the B2C dashboard can he find that setting?

Thank you!

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ianskilljarcom-4557 Azure AD B2C currently supports only RS256 for signing the Id_token. To confirm the same, you can go to the OIDC metadata endpoint of your User Flow by using below link and look for "id_token_signing_alg_values_supported" parameter.

Metadata URL: https://[omitted].b2clogin.com/[omitted].onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SkillJarSignin

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ah, I was afraid that was the case. Thank you for confirming, @amanpreetsingh-msft!

0 Votes 0 ·