OAuth2 token returned from Office 365 doesn't contain a preffered_username claim
Question
I followed this tutorial and have gotten to the point where I am decoding the returned token, and extracting the email address (which should be stored in the preferred_username property), ie, the following code:
decoded_token = Base64.urlsafe_decode64(encoded_token)
jwt = JSON.parse(decoded_token)
email = jwt['preferred_username']
The problem is that the object returned doesn't contain this property, what I do get back is similar to below:
{
"ver":"2.0",
"iss":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"aud":"0ab6433e-84fc-469b-8c72-41f7a0241a61",
"exp":1458142389,
"iat":1458055989,
"at_hash":"0OYaLKpTTdHNBrQNOqwQ0Q",
"sub":"AAAAAAAAAAAAAAAAAAAAAC1TrOaOmvInYrFAyrQjlFI",
"tid":"9188040d-6c67-4c5b-b112-36a304b66dad"
}
A quick glance at the spec indicates I am getting the correct object back from Office 365, as preferred_username is mentioned as a potential claim, but it isn't in the object I get back.
It's possible I'm not calling the get_token function with the correct parameters, but the documentation for the library is pretty sparse , so I can't really tell.
I have raised an issue on Github.
Is this an error on the Office 365 end, an error with the tutorial, or am I doing something wrong myself?
2 answers
solution1
1 2016-03-16 08:50:51
I am try to reproduce this issue using normal HTTP request however I could get the preferred_username property successfully.
As far as I know, we can get this property only when we specific the openid scope in the request. To narrow down this issue, I suggest that you trying use Fiddler or Postman without Ruby.
Here is the test using web browser and Fiddler to get the id token for your reference:
- Register the app in the portal using Office 365 account( which you can refer to the tutorial)
- Get the auth code in a web broswer via the link below: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id= {ClientID}&response_type=code&redirect_uri={RedirectURL}&response_mode=query&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20 openid &state=12345
Replace the auth code from preview request and using Fiddler to post the request to get the tokens:
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token grant_type=authorization_code&client_id={ClientID}&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20 openid &redirect_uri=http%3A%2F%2Flocalhost%3A55065%2F&client_secret={ClientSecret}&code={AuthCode}
Decode the ID token from the link below:
Then I could get the preferred_username property from the ID token successfully.
solution2
1 ACCPTED 2016-03-16 12:56:36
Answered here by Jason Johnston from Microsoft (author of the tutorial):
The Azure team deployed a breaking change to their v2 auth endpoint, which is causing the preferred_username to not be present. You need to add profile to the SCOPES array in auth_helper.rb. I'll post an update to the tutorial after the Build conference.
The SCOPES array in auth_helper.rb now looks like so:
SCOPES = [ 'openid', 'https://outlook.office.com/mail.read', 'profile' ]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.