display user photo using MS graph API for enterprise users.

[AgentSmith1010]

I am using this module on an apache server to authenticate users which I am able to do. I now want to take it a step further and show users their own profile picture. I've followed the guide here and can't figure out how to do that. Here is the relevant sections of httpd.conf I am using.

OIDCProviderMetadataURL https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxxxxxxxxxxxxxxx
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxxxx
OIDCProviderAuthRequestMethod POST
OIDCCacheShmEntrySizeMax 64000
OIDCRemoteUserClaim upn ([^@]+)
OIDCResponseType "code id_token"
OIDCScope "openid profile"
OIDCSessionInactivityTimeout 14400
OIDCSessionMaxDuration 28800
OIDCRefreshAccessTokenBeforeExpiry 1800 logout_on_error
OIDCUnAuthAction auth
OIDCUnAutzAction auth
OIDCRedirectURI https://my.secure.site.com/oidc/protected/
OIDCCryptoPassphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OIDCDefaultLoggedOutURL https://my.secure.site.com/public/login.php

I tested using this PHP script and I don't see a OIDC claim that has user photo. The appreg does have user.read perm. it does NOT have user.read.all as I am just trying to get info of the signed in user and not anyone else.

no expert on OIDC but shouldn't I also be using ID Token? If so, how ?

$token = $_SERVER['OIDC_access_token'];
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://graph.microsoft.com/v1.0/me/photo/$value",
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => array(
"Authorization: Bearer $token"
),
));
//
$response = curl_exec($curl);
$data = json_decode($response, true);

echo $data;

[zandbelt]

it seems this question is a better for a MS Graph forum; surely you'll need to use the access token with the right scope (whatever that is according to MS) and not the ID token