Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] Set option "GetClaimsFromUserInfoEndpoint" should go to user info endpoint
See original GitHub issueWhich version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 1.4.1
Where is the issue?
- Web app
- [x ] Sign-in users
- Sign-in users and call web APIs
- Other (please describe)
Is this a new or an existing app?
a. The app is in production and I have attempted to change from OpenIDConnect middleware to MicrosoftIdentityWebApp middleware.
Repro
var initialScopes = new string[] { "openId", "profile", "User.ReadBasic.All" };
// Sign-in users with the Microsoft identity platform
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureAd", options);
options.GetClaimsFromUserInfoEndpoint = true;
}, options => { Configuration.Bind("AzureAd", options); })
.EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
.AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
.AddInMemoryTokenCaches();
Expected behavior Setting option “GetClaimsFromUserInfoEndpoint” to true actually results in an HTTP request to that endpoint passing the access_token as a bearer, retrieving all additional claims, and adding them to the set of UserClaims.
Actual behavior OpenIdConnetOption of “GetClaimsFromUserInfoEndpoint” is not resulting in actually sending an http request to the UserInfo Endpoint defined in the Discovery/Meta document. For example, our tenant defines the v2.0 userinfo endpoint as “https://graph.microsoft.com/oidc/userinfo”, but that request is never made despite the access_token to do so being received. This works as intended in the standard OpenIdConnect middleware.
Specifically GraphAPI based (such as User.ReadBasic.All) claims are NOT included in the id_token (as expected), but since the call to the userinfo endpoint is not happening, those claims are never retrieved. Once again, if I manually setup the same configuration directly in OpenIdConnect middleware, the correct behavior occurs, and all claims are available.
Possible solution Make the setting option of “GetClaimsFromUserInfoEndpoint = true” on the function .AddMicrosoftIdentityWeb() actually result in calling the endpoint defined in the discovery document.
Issue Analytics
- State:
- Created 3 years ago
- Comments:16
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hmm, that code path doesn’t have many preconditions: https://github.com/dotnet/aspnetcore/blob/c925f99cddac0df90ed0bc4a07ecda6b054a0b02/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L875-L884
@m-hicks-OH Which of those logs do you get?
I leave this to chris. Presumably there’s an event somewhere where you’ll get the results back and you need to wire that up if the option is set to true.