locked
Getting user picture on OpenIdConnect RRS feed

  • Question

  • User-484626426 posted

    I've managed to authenticate user using OpenIdConnect. Does anyone know how to get access token so I can get user's picture?

    Below is a part of the code:

    app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
    ClientId = "[clientid]",
    Authority = "https://login.microsoftonline.com/common/v2.0",
    RedirectUri = "https://iluvrun.com/signin-oidc",
    PostLogoutRedirectUri = "https://iluvrun.com",
    Scope = OpenIdConnectScope.OpenIdProfile,
    ResponseType = "id_token token",
    TokenValidationParameters = new TokenValidationParameters()
    {
    ValidateIssuer = false
    },
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
    SecurityTokenValidated = context =>
    {
    string token = context.ProtocolMessage.AccessToken;

    if (!string.IsNullOrEmpty(token))
    {
    context.AuthenticationTicket.Identity.AddClaim(new Claim("urn:oidc:access_token", token));
    }

    return Task.FromResult(0);
    },
    AuthenticationFailed = (notification) =>
    {
    notification.HandleResponse();
    notification.Response.Redirect("/Account/Login?errormessage=" + notification.Exception.Message);

    return Task.FromResult(0);
    }
    }
    }
    );

    I suspect context.ProtocolMessage.AccessToken does not give me the right access code. The access token is failing when being used as an authorization for GET https://graph.microsoft.com/v1.0/me/photo/$value.

    Does anyone have any clue?

    Sunday, April 12, 2020 3:13 PM

All replies

  • User-484626426 posted

    Hi I found the below code from Yu Nan of Microsoft that I'm going to try to get the access code.

    Does anyone know what the appKey is to get ClientCredential?

    app.UseOpenIdConnectAuthentication(
                    new OpenIdConnectAuthenticationOptions
                    {
                        ClientId = clientId,
                        Authority = authority,
                        PostLogoutRedirectUri = postLogoutRedirectUri,
    
                        Notifications = new OpenIdConnectAuthenticationNotifications()
                        {
                            AuthenticationFailed = (context) =>
                            {
                                return System.Threading.Tasks.Task.FromResult(0);
                            },
                             AuthorizationCodeReceived = async (context) =>
                             {
                                 var code = context.Code;
    
                                 ClientCredential credential = new ClientCredential(clientId, appkey);
                                 string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
                                 string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
    
                                 AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.microsoftonline.com/{0}", tenantID));
                                 AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                                     code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, "https://graph.windows.net/");
                                 var accessToken = result.AccessToken;
                             },
                        }
    
                    }
                    );
    Monday, April 13, 2020 6:16 AM
  • User1535942433 posted

    Hi suencien,

    Accroding to your description,I suggest you could override the AuthorizationCodeReceived method to get the access token.Or you could use authentication code flow to acquire access token to access.

    More details,you could refer to below article:

    https://stackoverflow.com/questions/57519054/azure-authentication-using-oauth-with-token-in-asp-net-webforms-not-mvc

    https://stackoverflow.com/questions/43488511/acquire-aad-token-using-asp-net-web-forms/43537198#43537198

    Best regards,

    Yijing Sun

    Monday, April 13, 2020 6:41 AM
  • User-484626426 posted

    Hi Yij Sun,

    Thank you for responding. AuthorizationCodeReceived doesn't seem to be executed. Access token acquired remains blank. Do you know why?

    SecurityTokenValidated however gets an access token although it seems like a wrong one.

    Monday, April 13, 2020 7:49 AM
  • User-484626426 posted

    OK I found out that AuthoruzationCodeReceived was not firing because ResponseType was set to "id_token token". So you need "code" to be one of the ResponseTypes

    But after I changed ResponseType to "code id_token token", the authentication returns an error even before the user is entering a password. 

    "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'invalid_request'. Error_Description #may be empty#: 'The provided request must include a 'response_type' input parameter.'. Error_Uri #may be empty#: 'error_uri is null'."

    Does anyone know why?

    Tuesday, April 14, 2020 7:24 AM
  • User1535942433 posted

    Hi suencien,

    Accroding to your description,as far as I think,ResponseType have two values.One is code,another is token id_token.You need to use code.

    Does anyone know what the appKey is to get ClientCredential?

    As far as I think,appKey is Client secrets in Certificates & secrets.

    Best regards,

    Yijing Sun

    Tuesday, April 14, 2020 9:32 AM
  • User-484626426 posted

    Yes, but when I set ResponseType to "code id_token", the authentication returns an error. Is there a setting I need to make at Azure portal or any OpenIdConnect setting I missed or got wrong? It seems like it doen't like "code".

    Tuesday, April 14, 2020 12:56 PM
  • User1535942433 posted

    Hi suencien,

    Accroing to your description,I suggest you could use access_token.

    Best regards,

    Yijing Sun

    Friday, April 17, 2020 7:26 AM