How to fetch email in web api 2 which is secured by WAAD

Question

I am using MVC 5 client which is secured by "UseOpenIdConnectAuthentication" and getting all user details in Claims object, this client is calling WAAD secured Web Api by "Bearer" authentication token.

I need to fetch username or email in the web api. I tried different options but nothing worked.

I am getting null in Identity.Name, other properties I am getting like nameidentifier, objectidentifier, tenanted etc.

Please advise.

Thanks

Below code I am using for access token in Web Client.

string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
            string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
            ClientCredential clientcred = new ClientCredential(Startup.clientId, Startup.appKey);
            AuthenticationContext authenticationContext = new AuthenticationContext(Startup.aadInstance + Startup.tenantId, new ADALTokenCache(signedInUserID));
            AuthenticationResult authenticationResult = authenticationContext.AcquireToken(apiResourceId, clientcred);

            return authenticationResult.AccessToken;

Start up Code

app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    UseTokenLifetime = false,
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                        AuthorizationCodeReceived = (context) =>
                        {
                            var code = context.Code;
                            ClientCredential credential = new ClientCredential(clientId, appKey);
                            string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                            AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                            AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                            code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
                            return Task.FromResult(0);

                        }

Below are the Token Details:

Nan Yu · Answer 1 · 2017-10-24T06:03:55.447

0

You can get the upn of current user by :

var upn = ClaimsPrincipal.Current.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;

Other way is getting user's basic information using Microsoft Graph api , please refer to On-Behalf-Of scenario .The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. Please refer to protocol explanation and code sample .

Update :

Looking into your codes , you are using client credential flow to acquire token for your web api :

AuthenticationResult authenticationResult = authenticationContext.AcquireToken(apiResourceId, clientcred);

The OAuth 2.0 Client Credentials Grant Flow permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. That's why you can't get upn information which associated with a user .

You can use authorization code flow with user's identity , Please refer to code sample :

string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

edited Oct 24 '17 at 06:03

answered Oct 24 '17 at 02:29

Nan Yu

26,101
9
68
148

Thanks for the response Nan. I tried above code but no luck, no claims created for upn, giving object reference error on this line. I have "ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value" Is there any way I can get email from this value. – Saurabh Oct 24 '17 at 02:53
How do you get the access token for your web api which secured by AAD . Please refer to [code sample](https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect) . – Nan Yu Oct 24 '17 at 03:05
I am using same code provided by Microsoft. I have updated the question and included token code as well. Please review. – Saurabh Oct 24 '17 at 05:45
@Saurabh , NO . You are using client credential flow with app's identity , no user's information included in this scenario. You can use authorization code flow which using user's identity . Please see my edited reply . – Nan Yu Oct 24 '17 at 05:55
I tried but getting error "Failed to acquire token silently". Is there any other way to get email from objectuserid in web api. Please help. – Saurabh Oct 25 '17 at 08:54
Have you config the OpenID Connect ASP.Net OWIN middleware and ADAL .Net to acquire token when user first login ? Please refer to [codes](https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs) from [code sample](https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect) . – Nan Yu Oct 25 '17 at 08:57
Yes I included that code also. Please see updated question. It is working fine but only issue is passing email. – Saurabh Oct 25 '17 at 09:04
Have you get the access token for your web api with code flow ? Please decode your access token using [online](https://jwt.io/) tool to confirm user's information included in access token . – Nan Yu Oct 25 '17 at 09:10
Yes I have decoded access token and included image on the Question. Please check. – Saurabh Oct 25 '17 at 10:38

How to fetch email in web api 2 which is secured by WAAD

1 Answers1

Linked