Hey everyone I have read the docs and tried to look into the Ory Community #talk-kratos

Hey everyone! I have read the docs and tried to lo...

tall-easter-2247

10/30/2023, 10:03 PM

Hey everyone! I have read the docs and tried to look into the code through and through, but couldn't find the solution to my issue. So I am deploying Kratos to authenticate users with corporate Microsoft accounts. Everything works well, but I can't seem to juice out more info from it. All I am getting is basic info for an account, bare minimum to identify, like email, name and whatever is under the

profile

scope. I figured I can use Graph's

/me

endpoint to get info I need (right now I care to get

department

property in the account). Using Graph Explorer it is possible, and same for calling the endpoint directly with the Access Token. My question is, is it possible to either: 1. Get that info via Kratos API, CLI, anything, 2. Get the Access Token itself that was returned during sign in? Or maybe there's another way to go about it? The

department

field will determine role access to a degree, and I don't want to duplicate the data in a separate database if it's already there. Thanks!

alert-advantage-94977

10/31/2023, 4:42 AM

There are two parts to your question Firstly, Kratos can only retrieve information that your Azure B2C application has scope for it (search the Microsoft docs, see which scope is required for getting department) Additionally, you are able to write Jsonnet to translate anything Kratos received from Microsoft Graph API into objects that your application expect to get as Json (Ory docs has a couple of examples for this)

tall-easter-2247

10/31/2023, 5:26 PM

So here is what I am getting

Copy code

{
  "identity": {
    "traits": {
      "data": {
        "email": "...",
        "iss": "...",
        "name": "Mustafa Ucuncu",
        "preferred_username": "...",
        "raw_claims": {
          "aud": "...",
          "email": "...",
          "exp": 123,
          "iat": 123,
          "iss": "...",
          "name": "Mustafa Ucuncu",
          "nbf": 123,
          "oid": "...",
          "preferred_username": "...",
          "rh": "...",
          "sub": "...",
          "tid": "...",
          "uti": "...",
          "ver": "2.0"
        },
        "sub": "..."
      },
      "email": "...",
      "name": "Mustafa Ucuncu"
    }
  }
}

I extracted everything in

claims

into

data

field. Here is my Microsoft OIDC config:

Copy code

methods:
  oidc:
    config:
      providers:
        - id: microsoft
          provider: microsoft
          client_id: ...
          client_secret: ...
          microsoft_tenant: organizations
          mapper_url: file:///etc/kratos/config/oidc.microsoft.jsonnet
          scope:
            - profile
            - email
            - <https://graph.microsoft.com/User.Read>
          subject_source: me
    enabled: true

Now it seems that the response I am getting is the default one, having only

UserInfo

endpoint data. Graph's

/me

is not being called. I referred to this section in the docs. Now, I know it's about the identifiers, but I hoped Kratos would pull other data too. So again, is there any way to at least get the Access Token from Kratos to call Graph API directly?

tall-easter-2247

11/06/2023, 3:30 PM

Well, so what I wanted is not possible it seems, so I just forked and made it work lol. I created a pull request (draft) with my changes in case others could benefit from them too, but I am rather fresh to contributing to open source. Could any maintainer give it a look, share feedback, and help me make the pull request proper? Thanks!

magnificent-energy-493

11/06/2023, 7:43 PM

Hey Musatafa, thanks for the contribution! We will probably not make it this week, but will take a look as soon as possible 🙏

7 Views

Open in Slack

Previous Next