Azure AD returns non JWT Tokens when exchanging the OAuth2 code for an access token - McMap

About

Azure AD returns non JWT Tokens when exchanging the OAuth2 code for an access token

Asked 11/3, 2022 at 17:26 Answered 12/3, 2022 at 9:34

azure azure-active-directory access-token microsoft-identity-platform personal-access-token

A

1

6

I have an Azure AD App on my tenant that is configured to accept multiple tenants AND personal accounts.

I follow the procedure to retrieve an AccessToken as explained here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

When I receive the "code" in my app from the Microsoft web page, I exchange it for an access token calling the endpoint "https://login.microsoftonline.com/common/oauth2/v2.0/token".

Here the behavior differs whether the user that logs in is a work account or a personal account.

With work accounts, I receive a normal JWT Token and everybody is happy: I can decode the token and read the claims.

With personal accounts, I receive another token, that is not a JWT Token and I don't have any clue on how to:

validate this token
read a few information from the user (specifically, the email of the user)

Could you please help me understand how to perform these two actions?

NOTE: I have seen the answers here: Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens but my case is slightly different, since I don't want to access MS Graph with this token, I just need to retrieve the email of the user.

Thanks!

cghersi

Agnomen answered 11/3, 2022 at 17:26 Comment(0)

P

1

The access_token in OAuth2 is not required to be an JWT per the OAuth specification.
However Microsoft supports OpenID Connect, that provides an id_token. The id_token is always an JWT.

To "upgrade" your OAuth request to an OpenID Connect request you simply have to add the scope openid (and possibly email to ensure you get an email).
Then when you exchange your code to an access_token you also get an id_token

Pennington answered 12/3, 2022 at 9:34 Comment(5)

Thanks @Nisd, I can get the id_token, but it has no relevant claims for me to find the email of the user (even if I put the email scope). So, is there a MS REST API that I can call with the id_token to retrieve the basic details of the user, like the email? – Agnomen 15/3, 2022 at 19:4

@CristianoGhersi Sounds strange. Looking at our own codebase we are able to extract email and name from the id_token. In the Azure Portal, have you tried adding email and openid as requested claims by your application? Alternatively you should be able to call the UserInfo endpoint at graph.microsoft.com/oidc/userinfo with your access_token. – Pennington 16/3, 2022 at 18:46

How does the example for delegated access in postman get the JWT then, it looks like it follows the exact same flow for generating a code, and token – Kryska 25/10, 2023 at 0:39

Off-topic: seeing the words "OpenID" and "upgrade" in a single sentence makes me chuckle... isn't OpenID the "old" piece of tech (heck, the spec was drafted in 2005!), that was superseded by OAuth2? – Procora 8/11, 2023 at 12:11

@Procora Yes, OpenID is old and was replaced by OAuth2. However OpenID Connect is new and build on-top of OAuth2. – Pennington 9/11, 2023 at 7:21

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.