1

I was working on a JS app which talks to Azure AD app using OIDC. Here is the flow of authentication and validation -

  1. Redirect user to common login end point
  2. Get access token, id_token etc. on callback url
  3. Validate response with jwt keys retrieved from discovered url - https://login.microsoftonline.com/common/discovery/keys
  4. Get user info from discovered userinfo url - https://login.microsoftonline.com/common/openid/userinfo
  5. Store the information in local / session storage, depending upon settings.

The problem with Azure AD is, we can not complete step 3 and 4. Both the urls do not support CORS. We are not able to validate the tokens we get and can't retrieve the user information.

Is there any better way to get userinfo in Microsoft's implementation of OpenID for Azure AD?

Rahul Patil
  • 5,656
  • 6
  • 37
  • 65

2 Answers2

7

You are correct, Azure AD does not support CORS for either the metadata URL or the keys URL.

The general guidance is to not validate the id_token since you should only be using those claims for display purposes and not to drive any core functionality.

For core functionality (aka API calls) you should use access_tokens which should be validated by your back end which does not need CORS enabled endpoints.

You'll see these principals in action in the Azure AD SPA sample where authContext.getCachedUser() in adal.js is used to obtain the read the user and its claims without any validation.

If you want more validated user info, the guidance is to call the Graph to obtain user info via the Microsoft Graph's /me endpoint. You can see this pattern in the Azure AD Xamarin Sample.

You can vote for the request in the Azure AD feedback forum: Add CORS support for discovery and json web key set endpoints.

Saca
  • 10,355
  • 1
  • 34
  • 47
1

I ran into the same problems a while ago and the solution to these problems was to double hop the JWKS and UserInfo calls via an API.

I also used the certified and widely respected OIDC Client library, which has features for SPA silent token renewal and id token validation.

Personally I like to keep my apps coded in an Open Standards manner as much as possible, rather than being locked into one vendor.

PS. If you think this type of solution would work for you, here is a GitHib Sample and some documentation.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24