microsoft-identity-web: [Bug] Set option "GetClaimsFromUserInfoEndpoint" should go to user info endpoint

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 1.4.1

Where is the issue?

  • Web app
    • [x ] Sign-in users
    • Sign-in users and call web APIs
  • Other (please describe)

Is this a new or an existing app?

a. The app is in production and I have attempted to change from OpenIDConnect middleware to MicrosoftIdentityWebApp middleware.

Repro

var initialScopes = new string[] { "openId", "profile", "User.ReadBasic.All" };
// Sign-in users with the Microsoft identity platform
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApp(options =>                
     {   
          Configuration.Bind("AzureAd", options);
          options.GetClaimsFromUserInfoEndpoint = true;
      }, options => { Configuration.Bind("AzureAd", options); })
      .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
      .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
      .AddInMemoryTokenCaches();

Expected behavior Setting option “GetClaimsFromUserInfoEndpoint” to true actually results in an HTTP request to that endpoint passing the access_token as a bearer, retrieving all additional claims, and adding them to the set of UserClaims.

Actual behavior OpenIdConnetOption of “GetClaimsFromUserInfoEndpoint” is not resulting in actually sending an http request to the UserInfo Endpoint defined in the Discovery/Meta document. For example, our tenant defines the v2.0 userinfo endpoint as “https://graph.microsoft.com/oidc/userinfo”, but that request is never made despite the access_token to do so being received. This works as intended in the standard OpenIdConnect middleware.

Specifically GraphAPI based (such as User.ReadBasic.All) claims are NOT included in the id_token (as expected), but since the call to the userinfo endpoint is not happening, those claims are never retrieved. Once again, if I manually setup the same configuration directly in OpenIdConnect middleware, the correct behavior occurs, and all claims are available.

Possible solution Make the setting option of “GetClaimsFromUserInfoEndpoint = true” on the function .AddMicrosoftIdentityWeb() actually result in calling the endpoint defined in the discovery document.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16

Most upvoted comments

Hmm, that code path doesn’t have many preconditions: https://github.com/dotnet/aspnetcore/blob/c925f99cddac0df90ed0bc4a07ecda6b054a0b02/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L875-L884

@m-hicks-OH Which of those logs do you get?

+1
Tratcher on Feb 1, 2021

I leave this to chris. Presumably there’s an event somewhere where you’ll get the results back and you need to wire that up if the option is set to true.

+1
blowdart on Feb 1, 2021
Read more comments on GitHub
← microsoft-identity-web: [Bug] 'Scheme already exists: Bearer' when trying to setup both AAD and AAD B2C auth
microsoft-identity-web: [Bug] Signing in users breaks when using backchannel proxy →