I'm trying to authenticate users to my site with their Office 365 accounts, so I have been following the guidance on using the OWIN OpenID Connect middleware to add authentication and successfully managed to authenticate and retrieve their profile.
I am now trying to get the email address of the user (so I can populate their system account with their contact details), but I can't seem to get an email claim back. I have tried making a request using the scope openid profile email
, but the claim-set does not contain any mail information.
Is there a way to get the email of a user from Azure AD via the OpenID Connect endpoint?
I struggled with the same problem for a few days before arriving at a solution. In answer to your question: yes, you should be able to get the e-mail address back in your claims as long as you:
profile
oremail
scope in your request, andNote that the e-mail address may not be returned in an
email
claim: in my case (once I got it working) it's coming back in aname
claim.However, not getting the e-mail address back at all could be caused by one of the following issues:
No e-mail address associated with the Azure AD account
As per this guide to Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint, even if you include the
email
scope you may not get an e-mail address back:If you're getting other profile-related claims back (like
given_name
andfamily_name
), this might be the problem.Claims discarded by middleware
This was the cause for me. I wasn't getting any profile-related claims back (first name, last name, username, e-mail, etc.).
In my case, the identity-handling stack looks like this:
The problem was in the IdentityServer3.AspNetIdentity
AspNetIdentityUserService
class: theInstantiateNewUserFromExternalProviderAsync()
method looks like this:Note it passes in a claims collection then ignores it. My solution was to create a class derived from this and override the method to something like this:
I don't know exactly what middleware components you're using, but it's easy to see the raw claims returned from your external provider; that'll at least tell you they're coming back OK and that the problem is somewhere in your middleware. Just add a
Notifications
property to yourOpenIdConnectAuthenticationOptions
object, like this:See also