Azure AD Adal4j Token recieved after refresh token is not signed JWT

Question

I am developing an authentication service for my web based java application using Azure AD OpenID connect framework. I am referring to adal4j-1.2.0.jar The authentication is happening as per the behavior. I am getting the JWT claims and able to validate it.

But when 60 mins of session timeout occurs and I am trying to get new token claims using refresh token, the new tokens are not Signed JWT. They are Plain JWT.

I am using below call to acquire token using my initial refresh token which I am caching.

acquireTokenByRrefreshToken(refreshtoken, credential,null,null)

For validation of token, I am using the code as below

IDtokenValidator validator =  new IDTokenValidator(issuer,clientID, JWSAlgo,URL)
validator.validate(idToken, exoectedNoounce); //this line throws badjwtexception signed ID token expected

Can anyone help me to understand how can I redeem the refresh token to get new Signed tokens. Or after redeeming the token, the new tokens are always Plain JWT.

Did you ever solve this? I also get an unsigned id token when using `acquireTokenByRefreshToken` — Don Rhummy, Dec 11 '18 at 19:04

score 1 · Answer 1 · answered Sep 29 '17 at 07:28

1

I believe ,you are using implicit grant flow to get token.You are getting token from authorization end point.In this flow ,you will not get refresh token.Either you need to get new token after session expire or create a hidden frame which can get token before session expire.

answered Sep 29 '17 at 07:28

A_____

364
3
19

just to add on this, in order to get a new token after session expired. The resource(URL) should be same registered in Azure AD as reply URL. But the user may be on some other URL when the session expires. So if a new request is submitted, I am landing on error page saying reply URL doesn't match. – RAJDEV SINGH JASROTIA Sep 29 '17 at 07:38
In this case you can use code grant flow or client credential flow.Get code from authorization by first validating the user,then send this code with client secret to get token + refresh token.I am not sure if this java which you are using library has methods to call code grant flow. – A_____ Sep 29 '17 at 07:52

score 0 · Answer 2 · answered Oct 04 '17 at 08:38

You could refer to the official doc to acquire access token and refresh token by code grant flow.

Actually,methods in adal4j are implemented via HTTP REST API so that you could refer to the code below to request AuthorizationCode.

public static void getAuthorizationCode() throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId 
                + "&response_type=" + reponseType
                + "&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F"
                + "&response_mode=query"
                + "&resource=https%3A%2F%2Fgraph.windows.net"
                + "&state=12345";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/authorize";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

Then you could get access token using the AuthorizationCode you got and get refresh code using the code below.

public static void getToken(String refreshToken) throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId + "&refresh_token=" + refreshToken
                + "&grant_type=refresh_token&resource=https%3A%2F%2Fgraph.windows.net";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

Hope it helps you.

Thanks. I am able to use get new access_token, Id_token and refresh_token by calling `acquireTokenByRrefreshToken(refreshtoken, credential,resource,null)` but I am not able to figure it out how to use new tokens in my session object. I am setting some parameters in my session object which gets lost after 60mins. So with new tokens I need to add them back. — RAJDEV SINGH JASROTIA, Oct 04 '17 at 09:38

Azure AD Adal4j Token recieved after refresh token is not signed JWT

2 Answers2