Reputation: 70314
I'm trying to get thumbnail image/profile picture for my logged in Azure AD B2C user.
I have been reading up but so far nothing has helped.
This is for a Azure Active Directory Graph Client but I would like to get it via Rest for the currently logged in user. I would not like to require an administrator account to get it.
https://stackoverflow.com/a/41056923/3850405
What looked really promising was this endpoint but given that it is graph.windows.net
I'm not sure it will work given that my permissions later is set for graph.microsoft.com
.
https://graph.windows.net/[tenant]/users/[objectid]/thumbnailPhoto?api-version=1.6
https://stackoverflow.com/a/55943064/3850405
Preferably I would like to call an endpoint like this to get the currently logged in users picture but the above endpoint is of course OK.
https://graph.microsoft.com/v1.0/me/photo/$value
https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#request However to call this
Both of these methods requires a valid bearer token.
What I have done so for is accessing my Azure AD B2C
and then App registrations
. Select my application and then API permissions
. Select Add a permission
.
Click on Microsoft Graph and then add profile
as the picture below:
If I follow the guide for Get access on behalf of a user
within the Microsoft Graph documentation this will lead to Microsofts login page like this:
https://learn.microsoft.com/en-us/graph/auth-v2-user
If I do login I will get an error as expected:
Sign in Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'oscar.andersson@' from identity provider '' does not exist in tenant '' and cannot access the application ''() in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
When I log in to my application normally I get a screen that looks like this. Works perfectly and connects to a instance with a domain name like: https://<myadb2c>.b2clogin.com/tfp/
.
Source:
https://stackoverflow.com/a/61105325/3850405
If I do login with my administrator account for Get access on behalf of a user
I do get a code returned without a consent experience.
https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0#consent-experience
However when I make the POST request to get a token I get the following response:
https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0#token-request
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '' named ''. Send an interactive authorization request for this user and resource.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2020-08-21 12:23:13Z",
"error_codes": [
65001
],
"timestamp": "2020-08-21 12:23:13Z",
"trace_id": "",
"correlation_id": "",
"suberror": "consent_required"
}
According to the documentation:
The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
Admin consent has been given for the permissions:
If I change the working login to use scope https://graph.microsoft.com/profile
instead of https://<tenant-name>.onmicrosoft.com/<client-id>/read
I will get a code but not a token. Error:
{"error":"invalid_grant","error_description":"AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: \r\nTimestamp: 2020-08-21 13:36:44Z\r\n"}
If I try to call https://graph.microsoft.com/profile
with the token from scope https://<tenant-name>.onmicrosoft.com/<client-id>/read
I will get the error:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-21T14:02:14",
"request-id": ""
}
}
}
I really did not expect it to be this hard to get the profile picture out. Getting the given name and surname is no problem since this information is returned from the Sign up and sign in (Standard)
User flow
as claims.
I have read how I could Manage Azure AD B2C with Microsoft Graph but this is not what I wan't. I don't wan't to create a new App registrations simply because I wan't to fetch an already logged in users thumbnail.
Upvotes: 0
Views: 1481
Reputation: 3525
The photo endpoint is not supported in Azure B2C. You might create a custom API to store and retrieve them using jQuery, UI customization and/or Custom Policies and REST technical profile.
Upvotes: 1