Azure AD B2C UserInfo Endpoint Tutorial and Guide

The Azure AD B2C UserInfo Endpoint is a powerful tool that allows you to retrieve user information from Azure Active Directory (AAD) B2C. This endpoint is a key component of B2C, enabling you to authenticate and authorize users across various applications.

To access the UserInfo Endpoint, you can use the following URL format: `https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration`. Here, `{tenantId}` represents the unique identifier of your Azure AD B2C tenant.

The UserInfo Endpoint returns user data in a JSON format, which can be easily parsed and utilized by your application. This data includes essential attributes such as the user's name, email address, and profile URL.

By integrating the UserInfo Endpoint into your application, you can provide a seamless user experience and enhance the overall security of your system.

The UserInfo endpoint is an OAuth 2.0 protected resource of the Connect2id server where client applications can retrieve consented claims about the logged-in end-user.

To retrieve user details, clients must present a valid access token of type bearer.

The UserInfo endpoint is described in the OpenID Connect Core 1.0 specification.

You can call the UserInfo endpoint as you would call any Microsoft Graph API by using the access token your application received when it requested access to Microsoft Graph.

The UserInfo endpoint returns a JSON response containing claims about the user.

The claims shown in the response are all those that the UserInfo endpoint can return, and these values are the same as those included in an ID token.

You can't add to or customize the information returned by the UserInfo endpoint, but you can use claims mapping and optional claims to modify security token configuration to customize the information returned during authentication and authorization.

The UserInfo endpoint is located at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration, where you can find the userinfo_endpoint field in the OpenID configuration document.

Reading the userinfo_endpoint field at runtime is recommended, rather than hard-coding the UserInfo endpoint in your applications. This approach allows for dynamic configuration and reduces the risk of errors.

The Microsoft identity platform produces the name claims, subject claim, and email when available and consented to, based on the list of claims identified in the OIDC standard.

To configure Azure Active Directory B2C, you need to provide a Name, select an identity provider, and choose the User attributes and token claims required for your application.

Adding users to the Azure Active Directory B2C is a crucial step in setting up the service.

To use the UserInfo API, you'll need to request specific permissions. The openid claim is required, and the profile and email scopes ensure that additional information is provided in the response.

The required permissions for the UserInfo API are outlined below:

Microsoft Graph uses a special token issuance pattern that may impact your app's ability to read or validate the token.

Permissions are a crucial aspect of working with the UserInfo API. To call the API, you'll need to use specific OIDC permissions.

The openid claim is required, and the profile and email scopes ensure that additional information is provided in the response.

Microsoft Graph uses a special token issuance pattern, which may impact your app's ability to read or validate the token. This token may not be a JWT, and your app should consider it opaque.

If you signed in a Microsoft account user, the token will be in an encrypted token format. Don't worry, this doesn't affect your app's ability to use the access token in a request to the UserInfo endpoint.

To clarify, here are the required permissions for calling the UserInfo API:

The UserInfo endpoint is a crucial part of the identity platform, but there are some important notes to keep in mind.

You can't add to or customize the information returned by the UserInfo endpoint.

To get the information you need, use claims mapping and optional claims to modify security token configuration, which is a more effective approach.

The UserInfo endpoint can be found programmatically by reading the userinfo_endpoint field of the OpenID configuration document at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.

We don't recommend hard-coding the UserInfo endpoint in your applications, as this approach can become outdated and cause issues.

The Microsoft identity platform produces the name claims, subject claim, and email when available and consented to, from the list of claims identified in the OIDC standard.