How to retrieve user info with Azure AD scopes and oidc-client.js?

Question

I'm confused how I can get access tokens and user info details when using azure ad scopes with oidc-client.js.

I have the following scope against my app in the portal...

I then have my user manager settings set up as follows....

var settings: UserManagerSettings = {
    authority: `https://login.microsoftonline.com/${tenantId}`,
    client_id: clientId,
    redirect_uri: "http://localhost:3000/authcallback",
    post_logout_redirect_uri: "http://localhost:3000/authcallback",
    response_type: "token id_token",
    scope: `api://${clientId}/access_user_data openid`,
    popup_redirect_uri: "http://localhost:3000/authcallback",
    silent_redirect_uri: "http://localhost:3000/authcallback",
    automaticSilentRenew: true,
    loadUserInfo: true,
    metadata: {
        userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo",
        authorization_endpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
        issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,
        jwks_uri: `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`
    }
};

When I login with signinRedirect I get an access_token returned to my callback, however the call to https://graph.microsoft.com/oidc/userinfo fails with unauthorized when doing getUser().

oidc-client.min.js:1 GET https://graph.microsoft.com/oidc/userinfo 401 (Unauthorized)

The access token does appear to work with my api that requires the api://${clientId}/access_user_data scope.

The discovery document here lists the following available scopes

"scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
]

Which I thought would have worked as I am also including the openid scope. Note that if I only have the openid scope like so scope: "openid", getUser() works, however it doesn't have the scope I need for calling my api.

What am I doing wrong here?

Thanks,

An access token only works against one API, so you need two tokens in your case I think. — juunas, Sep 09 '20 at 09:14
But you should be able to have multiple scopes in a single token shouldn't you? — Konzy262, Sep 09 '20 at 09:23
So user info is considered a separate api even though it's all wrapped up in the same app registration? Does that mean I need to maintain 2 separate instances of UserManager? That doesn't seem ideal.... — Konzy262, Sep 09 '20 at 09:34

score 2 · Accepted Answer · answered Sep 09 '20 at 14:22

2

Had the Same issue after some research tried setting loadUserInfo to false that resolved my problem can please try the same

answered Sep 09 '20 at 14:22

Prafful Namburi

46
1
4

Thanks. It works in the sense `getUser()` no longer fails, then I can go on to call my api. It's missing various claims though, such as `email`, `family_name`, `given_name` etc that I get when I define the scope as just `openid` in `UserManagerSettings`. I hoped I could get everything in one token but I guess not. – Konzy262 Sep 09 '20 at 15:20
2

Yes you can get the remaining things bypassing "profile", "email" in the scope – Prafful Namburi Sep 09 '20 at 17:26

How to retrieve user info with Azure AD scopes and oidc-client.js?

1 Answers1