从Office 365返回的OAuth2令牌不包含preffered_username声明

Question

I followed this tutorial and have gotten to the point where I am decoding the returned token, and extracting the email address (which should be stored in the preferred_username property), ie, the following code:

decoded_token = Base64.urlsafe_decode64(encoded_token)
jwt = JSON.parse(decoded_token)
email = jwt['preferred_username']

The problem is that the object returned doesn't contain this property, what I do get back is similar to below:

{  
   "ver":"2.0",
   "iss":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
   "aud":"0ab6433e-84fc-469b-8c72-41f7a0241a61",
   "exp":1458142389,
   "iat":1458055989,
   "at_hash":"0OYaLKpTTdHNBrQNOqwQ0Q",
   "sub":"AAAAAAAAAAAAAAAAAAAAAC1TrOaOmvInYrFAyrQjlFI",
   "tid":"9188040d-6c67-4c5b-b112-36a304b66dad"
}

A quick glance at the spec indicates I am getting the correct object back from Office 365, as preferred_username is mentioned as a potential claim, but it isn't in the object I get back.

It's possible I'm not calling the get_token function with the correct parameters, but the documentation for the library is pretty sparse , so I can't really tell.

I have raised an issue on Github.

Is this an error on the Office 365 end, an error with the tutorial, or am I doing something wrong myself?

Answer 1

I am try to reproduce this issue using normal HTTP request however I could get the preferred_username property successfully.

As far as I know, we can get this property only when we specific the openid scope in the request. To narrow down this issue, I suggest that you trying use Fiddler or Postman without Ruby.

Here is the test using web browser and Fiddler to get the id token for your reference:

1. Register the app in the portal using Office 365 account( which you can refer to the tutorial)
2. Get the auth code in a web broswer via the link below: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id= {ClientID}&response_type=code&redirect_uri={RedirectURL}&response_mode=query&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20 openid &state=12345

3. Replace the auth code from preview request and using Fiddler to post the request to get the tokens:

   POST: https://login.microsoftonline.com/common/oauth2/v2.0/token grant_type=authorization_code&client_id={ClientID}&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20 openid &redirect_uri=http%3A%2F%2Flocalhost%3A55065%2F&client_secret={ClientSecret}&code={AuthCode}

4. Decode the ID token from the link below:

   https://jwt.io/

Then I could get the preferred_username property from the ID token successfully.

Answer 2

Answered here by Jason Johnston from Microsoft (author of the tutorial):

The Azure team deployed a breaking change to their v2 auth endpoint, which is causing the preferred_username to not be present. You need to add profile to the SCOPES array in auth_helper.rb. I'll post an update to the tutorial after the Build conference.

The SCOPES array in auth_helper.rb now looks like so:

SCOPES = [ 'openid', 'https://outlook.office.com/mail.read', 'profile' ]