rissson
commented
1 month ago We'll probably still call the userinfo endpoint in the end, so that we're able to provide that information for source property mappings (#8771)
Open silenium-dev opened 1 month ago
rissson
commented
1 month ago We'll probably still call the userinfo endpoint in the end, so that we're able to provide that information for source property mappings (#8771)
silenium-dev
commented
1 month ago We'll probably still call the userinfo endpoint in the end, so that we're able to provide that information for source property mappings (#8771)
So this can't be implemented?
rissson
commented
1 month ago So this can't be implemented?
It would depend on how much data is actually included in the id_token given by azure. From a very quick look at the documentation, it seems like the id_token wouldn't contain all the data that one could retrieve from the userinfo endpoint, but feel free to correct me if I'm wrong
silenium-dev
commented
1 month ago The only field missing is the profile picture, even though the docs say that the fields of the id_token should be a superset of the ones from the userinfo endpoint: https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#consider-using-an-id-token-instead
rissson
commented
1 month ago You're right I missed that bit. That would be a welcomed improvement indeed then
bboehmke
commented
3 weeks ago I have a similar issue with Azure AD and missing information in the userinfo endpoint.
I am not completely sure what the expected implementation would be but for me it would be great to simply have the (decoded) id_token available in an Expression Policy used in an Enrolment Stage.
This way it should be very simply to map the needed information to the user accounts.
Is your feature request related to a problem? Please describe. The Azure AD source type currently requires the Microsoft Graph API scope User.Read to read the userinfo endpoint. This forbids any other non Graph API scopes to be added which we need (in our case:
XboxLive.signin). Microsoft itself recommends using id_tokens for OIDC as long as one doesn't need to retrieve extended user-info from the Graph API: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#enable-id-tokensDescribe the solution you'd like Azure AD supports id_tokens which contain all claims required for creating an user in Authentik (
preferred_username,emailandname): https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-referenceDescribe alternatives you've considered No alternatives, as there's no other way to get an access token with different scopes without another user prompt.
Additional context I've already implemented a rough PoC on my own, that still contains some debug logging: https://github.com/silenium-dev/authentik It works, but I still have to implement tests and properly clean the code. I'll create a draft pull request for this.