Continuation of this question I had asked. I am trying to implement a 'Login with your O365 account' feature on my PHP web application.
When my app requests access to the Graph API resource (https://graph.windows.net/), it seems that only administrators can allow access. If a non-admin tries to complete the OAuth workflow, they get this error from login.windows.net:
AADSTS50020: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I am not really looking to get access to detail info about all the users in the directory (I can understand something like this requiring admin priveleges), but just the name/email of the currently logged in user (admin, or non-admin).
So I need basically any O365 user to be able to allow their basic profile info to be read by my app. Is the Graph API the right way to go? What do I need to do differently to achieve this?
If you add 'scope=openid' to your OAuth token request the response from AAD should contain an 'id_token' key. The value of that key is an unsigned JWT token within which you will find the following attributes about the user if they are available in the directory:
NOTE: The id_token returned along with a basic OAuth token response is an unsigned token. It should not be confused with the signed id_token returned in an OpenID Connect protocol response. It should absolutely not be used for making authentication decisions. It is purely informational.