24

I'm using adal js to auth with Azure AD. I have webApp and webApi. Pretty much my apps follow this sample https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet .

I was able to login to my webApp and adal.js successfully acquired a token for my webApi and injected it into a request. All was working until recently. Then token acquisition for webApi stopped working with error:

"response_type 'token' is not supported for the application"

renewToken is failed:AADSTS70005: response_type 'token' is not supported for the application Trace ID: 104c18e3-eb6e-42a4-a292-c6f170f27f65 Correlation ID: c2e65622-0c58-473a-8184-b3056fb1af58 Timestamp: 2015-03-27 22:53:12Z

I can clearly see that adal.js is building a request and puts "response_type=token" into a query string. So, my assumption is that something changed on Azure AD side.

I found one article that correlates response_type=token to implicit grant flow. I confirmed that my webApp has "oauth2AllowImplicitFlow" enabled. I have contacted MS support and waiting for resolution. Meanwhile, I wanted to share this with community and see whether someone has any information regarding the issue.

Thanks

serg.salo
  • 580
  • 1
  • 8
  • 14

2 Answers2

43

If you are building client-side app, you need to enable Implicit flow from the application manifest.

  "oauth2AllowImplicitFlow": true,
  1. Open your application configuration azure portal, and download the manifest file from "Manage Manifest" menu.

enter image description here

  1. search for oauth2AllowImplicitFlow and change the value to true.

  2. upload the file again through the same menu.

Logout and login again to your app and it will work will a charm.

It can also be configured via the Azure AD portal:

  • From the application page, click on Authentication, and under Advanced Settings, select the checkboxes next to Access tokens and ID tokens to enable OAuth2 implicit grant for the application.

more info about OAuth2 Implicit flow >> link:

The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed...

Community
  • 1
  • 1
alaasdk
  • 1,988
  • 19
  • 21
  • Just a very quick note: in my case, I had to go to https://apps.dev.microsoft.com, add a whole new app. It will redirect you to the newly created app registration and there's a option 'add platform'. After I selected 'web' (again, in my case) the Allow Implicit Flow tick box appeared. – AuroMetal Dec 04 '17 at 16:13
  • 1
    The portal now allows you to edit the manifest inside a portal blade – pcdev Feb 15 '18 at 00:03
  • Duplicate with https://stackoverflow.com/questions/25511096/getting-error-unsupported-response-typeerror-description-aadsts70005-with-tok/49131413#49131413 – Skorunka František Mar 06 '18 at 13:15
6

recreating my webApp fixed the issue. I'm still investigation the root cause with MS. Manifests for two apps aren't different except their AAD Client IDs.

UPDATE

see my comments for resolution

serg.salo
  • 580
  • 1
  • 8
  • 14
  • The root cause was that my webApp manifest included next setting: – serg.salo Mar 29 '15 at 22:04
  • 1
    The root cause I think is that my webApp manifest includes next setting: "groupMembershipClaims": "SecurityGroup". If I change it to "groupMembershipClaims": null - suddenly my webApp starts working. I think the issue is that my token's length is to long when security groups are included with it. As the result when adal js builds a request to get token for webApi - Azure AD oauth endpoint can't process it because of some limitations for token size. – serg.salo Mar 29 '15 at 22:12
  • 2
    I think there is some other problem going on. I have "groupMembershipClaims": null and yet I still receive the same error: AADSTS70005: response_type 'token' is not supported for the application Trace ID: 842eadd1-6363-441e-a55f-5c6faa2f7f6d Correlation ID: ae983aa5-ccb4-40fd-8331-82f4d154957b Timestamp: 2015-03-29+23:45:34Z And yet, the well-known/openid-configuration endpoint says: "response_types_supported": [ "code", "id_token", "code id_token", "token" ], – Matt Mazzola Mar 29 '15 at 23:53
  • 5
    make sure you enabled oauth2AllowImplicitFlow in the manifest – serg.salo Mar 30 '15 at 05:37
  • manually adding "groupMembershipClaims": null to the manifest did the job. +1 serg.salo! – WtFudgE Dec 25 '17 at 06:48