Ogglas
Ogglas

Reputation: 70314

Azure AD B2C - Get thumbnail image for logged in user via REST API

I'm trying to get thumbnail image/profile picture for my logged in Azure AD B2C user.

I have been reading up but so far nothing has helped.

This is for a Azure Active Directory Graph Client but I would like to get it via Rest for the currently logged in user. I would not like to require an administrator account to get it.

https://social.msdn.microsoft.com/Forums/en-US/305156f6-d6e9-4134-87b6-043c9c64ac8c/getting-a-profile-picture-under-azure-ad-b2c?forum=WindowsAzureAD

https://stackoverflow.com/a/41056923/3850405

What looked really promising was this endpoint but given that it is graph.windows.net I'm not sure it will work given that my permissions later is set for graph.microsoft.com.

https://graph.windows.net/[tenant]/users/[objectid]/thumbnailPhoto?api-version=1.6

https://stackoverflow.com/a/55943064/3850405

Preferably I would like to call an endpoint like this to get the currently logged in users picture but the above endpoint is of course OK.

https://graph.microsoft.com/v1.0/me/photo/$value

https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#request However to call this

Both of these methods requires a valid bearer token.

What I have done so for is accessing my Azure AD B2C and then App registrations. Select my application and then API permissions. Select Add a permission.

Click on Microsoft Graph and then add profile as the picture below:

enter image description here

If I follow the guide for Get access on behalf of a user within the Microsoft Graph documentation this will lead to Microsofts login page like this:

enter image description here

https://learn.microsoft.com/en-us/graph/auth-v2-user

If I do login I will get an error as expected:

enter image description here

Sign in Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'oscar.andersson@' from identity provider '' does not exist in tenant '' and cannot access the application ''() in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

When I log in to my application normally I get a screen that looks like this. Works perfectly and connects to a instance with a domain name like: https://<myadb2c>.b2clogin.com/tfp/.

enter image description here

Source:

https://stackoverflow.com/a/61105325/3850405

If I do login with my administrator account for Get access on behalf of a user I do get a code returned without a consent experience.

https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0#consent-experience

However when I make the POST request to get a token I get the following response:

https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0#token-request

{
    "error": "invalid_grant",
    "error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '' named ''. Send an interactive authorization request for this user and resource.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2020-08-21 12:23:13Z",
    "error_codes": [
        65001
    ],
    "timestamp": "2020-08-21 12:23:13Z",
    "trace_id": "",
    "correlation_id": "",
    "suberror": "consent_required"
}

According to the documentation:

The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.

Admin consent has been given for the permissions:

enter image description here

If I change the working login to use scope https://graph.microsoft.com/profile instead of https://<tenant-name>.onmicrosoft.com/<client-id>/read I will get a code but not a token. Error:

{"error":"invalid_grant","error_description":"AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: \r\nTimestamp: 2020-08-21 13:36:44Z\r\n"}

If I try to call https://graph.microsoft.com/profile with the token from scope https://<tenant-name>.onmicrosoft.com/<client-id>/read I will get the error:

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "date": "2020-08-21T14:02:14",
      "request-id": ""
    }
  }
}

I really did not expect it to be this hard to get the profile picture out. Getting the given name and surname is no problem since this information is returned from the Sign up and sign in (Standard) User flow as claims.

enter image description here

I have read how I could Manage Azure AD B2C with Microsoft Graph but this is not what I wan't. I don't wan't to create a new App registrations simply because I wan't to fetch an already logged in users thumbnail.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga

Upvotes: 0

Views: 1481

Answers (1)

AlfredoRevilla-MSFT
AlfredoRevilla-MSFT

Reputation: 3525

The photo endpoint is not supported in Azure B2C. You might create a custom API to store and retrieve them using jQuery, UI customization and/or Custom Policies and REST technical profile.

Upvotes: 1

Related Questions