Does Azure Active Directory have an introspection endpoint (as defined in RFC7662) for verifying OpenID Connect (or OAuth) access tokens?
Asked
Active
Viewed 6,660 times
2 Answers
15
No. You can check all the endpoints supported via the OpenID Provider Configuration for Azure Active Directory.
If you and idea or feedback about Azure AD, you can try to submit them from UserVoice:Azure Active Directory.
In particular you can vote on Introspection endpoint for Azure Active Directory Suggestion
Sjoerd222888
- 3,228
- 3
- 31
- 64
Fei Xue
- 14,369
- 1
- 19
- 27
5
No introspection endpoint
Azure AD does not have an introspection endpoint.
Depending on what you're trying to achieve, however, it may still be possible without that endpoint.
Validating access token
Make a call to the userinfo_endpoint with the token to see if it still valid. e.g.
GET /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <access token>
If the call returns 200, the access token is valid. If it returns 401, it is not valid.
Getting info about/from the access token
There are 2 types of access tokens: self-contained or placeholder (see RFC6749 Section 1.4 for more info). Azure AD's access tokens are JWTs and are self-contained.
You can obtain expiry info, AD app name, tenant info, user info and much more by decoding the access token.
The JWT payload of Azure AD's access tokens look like this:
{
"aud": "00000000-0000-0000-0000-000000000000",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1637179385,
"nbf": 1637179385,
"exp": 1637183923,
"acct": 0,
"acr": "1",
"aio": "<base64_string>",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "<app_registration_display_name>",
"appid": "<app_id>",
"appidacr": "1",
"family_name": "<user_family_name>",
"given_name": "<user_given_name>",
"idtyp": "user",
"ipaddr": "<user_ip>",
"name": "<user_name>",
"oid": "<uuid>",
"onprem_sid": "<on-premises_sid_of_user>",
"platf": "8",
"puid": "<hex_id>",
"rh": "<?>",
"scp": "email openid profile",
"signin_state": [
"kmsi"
],
"sub": "<user_subscriber_identifier>",
"tenant_region_scope": "NA",
"tid": "<tenant_id>",
"unique_name": "<user_email_or_unique_identifier>",
"upn": "<user_email>",
"uti": "<?>",
"ver": "1.0",
"wids": [
"<uuid>"
],
"xms_st": {
"sub": "<?>"
},
"xms_tcdt": <?>
}
Codebling
- 10,764
- 2
- 38
- 66
-
Do you know if there is another alternative already? – Neneil Aug 23 '23 at 12:45
-
@Neneil for which part? If you want to check the token validity, use the userinfo endpoint. If you want to check something else, let me know what info you're looking for – Codebling Aug 23 '23 at 16:11
-
In my case I get back `Access token validation failure. Invalid audience.` from the `userinfo_endpoint`. This is because I am asking for that with an access token that is for my application. So this is not suitable for me. I also tried the token endpoint, but here I get that I am trying to request a token for the application itself. – Neneil Aug 24 '23 at 08:01
-
@Neneil this is likely because of your App Registration config. You could try adding API permissions for Microsoft Graph->User.Read, or you could try using graph.windows.net instead of the default userinfo endpoint, which is graph.microsoft.com (default config for tokens should allow access to graph.windows.net, if I have understood correctly). – Codebling Aug 24 '23 at 17:38
-
1Alternatively, if you want to use the access token to access a resource, just try to access the resource using the token and see if it fails. If you are simply concerned about the token expiring, the token is a JWT and you can check the `exp` field, but if user logs out or token is revoked, the token will no longer be valid. – Codebling Aug 24 '23 at 17:38
-
1See also https://stackoverflow.com/questions/62513980/whats-the-difference-between-graph-windows-net-and-graph-microsoft-com – Codebling Aug 24 '23 at 17:39