Oauth2 - AzureAD - Get User Picture

[Clem-]

Oauth2 - AzureAD - Get User Picture

Description

I successfully added Azure AD as an Identity Provider of FusionAuth and I'm getting the user profile in the JWT.
Howerver, the picture property of the profile is set to https://graph.microsoft.com/v1.0/me/photo/$value.

I would have to make a request in a Lambda in order to populate the user profile with the raw data buffer, but it does not seem possible.

How can I make that request to fetch the picture and send it back to the user profile?

Thanks

[robotdan]

Hi @Clem- we don't currently support making external requests via AJAX in a lambda function.

If AzureAD does not have an option to return the picture as a URL to an image file then it may not be possible to retrieve the user's image.

We may explore adding AJAX support to the Lambda in the future.

[Clem-]

Thank for your answer. I think that requests in Lambda is really something missing (that Auth0 have, btw).

So, is there a way to pass the access token from the IdentityProvider to my App throught FusionAuth in order to make the request to the microsoft API in the app?

Thanks

[voidmain]

@Clem- you can technically make requests from the Lambda's, but just not using XMLHttpRequest. FusionAuth uses the Nashorn JavaScript engine, which runs on the JVM. You can use Java classes from Nashorn including URLConnection in order to make a request. This can get a bit verbose, but it is possible.

The key is that for FusionAuth to display the image properly, you must set the imageUrl property on the user to a well formed URL for the profile picture.

Here's an example of Nashorn engine using Java classes to make a HTTP request: https://gist.github.com/billybong/a462152889b6616deb02

For your other questions, once the user logs in, you'll have their access token and you can turn right around and update the User via the /api/user API to set an imageUrl if that property is null. You could do this as part of the end of the OAuth 2 workflow when the browser is redirected to the redirect_uri.

[robotdan]

@voidmain is correct, however FusionAuth currently blocks all access to the JDK within a lambda.

If we were to support AJAX it would probably make sense for us to expose a helper class or perhaps upgrade the JavaScript engine to support XMLHttpRequest.

[robotdan]

Related

• [Feature] Add request/fetch/AJAX support to lambdas #267

[robotdan]

I would assume this will work now that you can make an HTTP request within a lambda function? Available in version 1.35.0.

• [Feature] Add request/fetch/AJAX support to lambdas #267

If anyone wants to confirm and let us know, that would be great.

[robotdan]

Please re-open if this is still not possible.