MSAL and Azure AD: What scopes should I pass when I just want to get the user ID?

oauth-2.0 azure-active-directory bearer-token msal

12,603

Regarding your First Query - Where can I find more information about these endpoints and on what's the purpose of each...

Answer - https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

The {tenant} can take one of four values:

common - Users with both a personal Microsoft account and a work or school account from Azure Active Directory (Azure AD) can sign in to the application.
organizations - Only users with work or school accounts from Azure AD can sign in to the application.
consumers - Only users with a personal Microsoft account can sign in to the application.
8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com - Only users with a work or school account from a specific Azure AD tenant can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used.

Regarding your Second Query on Scope -

Answer - Refer to this document - OpenID Connect scopes

Regarding your Third Query on Claim -

Answer - Refer to this GIT Hub sample - active-directory-dotnet-webapp-roleclaims

12,603

Author by

Luis Abreu

Updated on June 09, 2022

Comments

Luis Abreu almost 2 years
I'm using MSAL to get an ID Token which is then used to access an Web API app. I've got a couple of questions and I was wondering if someone could help me understand what's going on.

Let me start with the authentication process in the client side. In this case, I'm building a Windows Forms app that is using the following code in order to authenticate the current user (ie, in order to get an ID Token which will be used to validate the user when he tries to access a Web API app):
```
//constructor code
_clientApp = new PublicClientApplication(ClientId, 
                  Authority, //which url here?
                  TokenCacheHelper.GetUserCache());
_scopes = new []{ "user.read" }; //what to put here?

 //inside a helper method
 try {
      return await _clientApp.AcquireTokenSilentAsync(_scopes, _clientApp.Users.FirstOrDefault());
 }
 catch (MsalUiRequiredException ex) {
  try {
            return await _clientApp.AcquireTokenAsync(_scopes);
        }
        catch (MsalException ex) {
            return null;
        }
 }
```
The first thing I'd like to clear is the value that should be used for the authority parameter. In this case, I'm using an URL on the form:
```
https://login.microsoftonline.com/{Tenant}/oauth2/v2.0/token
```
However, I'm under the impression that I could also get away with something like this:

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

It seems like one endpoint is specific to my Azure AD while the other looks like a general (catch all) URL...Where can I find more information about these endpoints and on what's the purpose of each...

Another thing that I couldn't quite grasp is the scope. I'm not interested in querying MS Graph (or any other Azure related service for that matter). In previous versions of the MSAL library, it was possible to reference one of the default scopes. However, it seems like that is no longer possible (at least, I tried and got an exception saying that I shouldn't pass the default scopes...).

Passing an empty collection (ex.: new List<string>()) or null will also result in an error. So, in this case, I've ended passing the user.read scope (which, if I'm not mistaken, is used by MS Graph API. This is clearly not necessary, but was the only way I've managed to get the authentication process working. Any clues on how to perform the call when you just need to get an ID Token? Should I be calling a different method?

Moving to the server side, I've got a Web API app whose access is limited to calls that pass an ID token in the authentication header (bearer). According to this sample, I should use something like this:
```
private void ConfigureAuth(IAppBuilder app) {
   var authority = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
   app.UseOAuthBearerAuthentication(
       new OAuthBearerAuthenticationOptions {
          AccessTokenFormat = new JwtFormat(GetTokenValidationParameters(),
                    new OpenIdConnectCachingSecurityTokenProvider(authority)),
                                            Provider = new OAuthBearerAuthenticationProvider {
                                                     OnValidateIdentity = ValidateIdentity
                                            }
                                           });
 }
```
Now, this does work and it will return 401 for all requests which don't have a valid ID Token. There is one question though: is there a way to specify the claim from the Ticket's Identity that should be used for identifying the username (User.Identity.Name of the controller)? In this case, I've ended handling the OnValidateIdentity in order to do that with code that looks like this:
```
private Task ValidateIdentity(OAuthValidateIdentityContext arg) {
    //username not getting correctly filled
    //so, i'm handling this event in order to set it up 
    //from the preferred_username claim
    if (!arg.HasError && arg.IsValidated) {
        var identity = arg.Ticket.Identity;
        var username = identity.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value ?? "";
        if (!string.IsNullOrEmpty(username)) {
            identity.AddClaim(new Claim(ClaimTypes.Name, username));
        }
    }
    return Task.CompletedTask;
}
```
As you can see, I'm searching for the preferred_username claim from the ID Token (which was obtained by the client) and using its value to setup the Name claim. Is there any option that would let me do this automatically? Am I missing something in the configuration of the OAuthBearerAuthenticationMiddleware?