Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
451 views
in Technique[技术] by (71.8m points)

Azure AD B2C Github identity provider does not provide any claims

I want to use the AAD B2C Github identity provider to authorize users in my app. To create a user I need at least get an email from it - but I get nothing. I did set up everything according to docs and I can see in the AAD B2C Users list that Name is set up correctly for a new user, but User Principal Name where email should be is null

Here is JWT answer

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
  "exp": 1611879546,
  "nbf": 1611875946,
  "ver": "1.0",
  "iss": "https://apichat.b2clogin.com/4d39cd56-4c18-4bc7-aaa8-36bf91191c8c/v2.0/",
  "sub": "dfe38752-113e-4431-b1bd-23dd53119369",
  "aud": "341eea81-859c-485c-baea-2cc9f75f6512",
  "nonce": "defaultNonce",
  "iat": 1611875946,
  "auth_time": 1611875946,
  "idp_access_token": "c5c79a8f49c44575cf127fc3c64aaa5710a0a465",
  "idp": "github.com",
  "tfp": "B2C_1_susi_debug"
}.[Signature]

What do I missing?

Added

After some studying, I have a suspicion that the Github provider here either does not have the required scopes or mappings. I don't see any ways to add it so far. Potentially that might be solved by a generic OpenID Connect provider but Github does not support well-known/openid-connect-discovery and I have no option to manually set endpoints in AAD B2C.

So far I don't see any way to connect GitHub to my AAD B2C and get that darn email - why the biggest cloud platform does not fully support the biggest dev repository when they have the same owner is beyond my understanding.

question from:https://stackoverflow.com/questions/65946725/azure-ad-b2c-github-identity-provider-does-not-provide-any-claims

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Ok, the solution I found looks like that

  1. Set Display Name and Identity Provider Access Token in Application Claims of your User Flow
  2. On GitHub auth you will get name aka username and idp_access_token aka token
  3. That's allow us to call github user api curl -u username:token https://api.github.com/user
  4. By default user api returns public user profile, which might not have a set email
  5. curl -u username:token https://api.github.com/user/emails will return all user associated emails
  6. We need the primary one
{
    "email": "***@gmail.com",
    "primary": true,
    "verified": true,
    "visibility": "public"
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...