Azure AD returns Unsigned Id Token while requesting renewal using refresh token

Question

I am using Azure AD v1 endpoint to authorize my webapp.

On initial authentication , I am not getting access_token to be a valid jwt token. However i am getting id_token to be valid jwt and the acces_token to be value of refresh_token which appears strange.

I can call my Web API using id_token as bearer token. All good.

Now when id_token is expired , i am using my refresh_token to send following refresh token request .I am getting unsigned id_token as response. Since the new id_token is unsigned , using this id_token i am not able to access Web API. Am i missing something?

POST /token HTTP/1.1
Host: {authority}
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
client_id=mvc&
client_secret=secret&
refresh_token=AQABAAAAAADX8GCi6J
&scope=openid%20profile%20offline_access

I am using following startup configuration to set up authentication

services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromSeconds(1000);
                options.Cookie.Name = "mvcapplication";
            })
            .AddOpenIdConnect(option=>{
        options.Authority = "{aad v1 endpoint}";
                options.ClientId = "mvc";
                options.ClientSecret = "secret";
                options.ResponseType = "code id_token";
                options.ResponseMode = "form_post";
                options.SignInScheme = "Cookies";
                options.CallbackPath = "/Home/Index/";
                options.RequireHttpsMetadata = false;
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;

                //Default Scopes
                options.Scope.Add("openid");
                options.Scope.Add("profile");
                options.Scope.Add("offline_access");
         });

You are correct . That is my first issue . On initial authentication , the access_token and refresh_token are the same. acess_token received is not a valid jwt . Using that access_token gives me unauthorized access error. I was expecting a valid jwt token there . Any clues? — NewtonCode, Jun 08 '18 at 12:16
Ahh, you should specify a `resource` when acquiring a token with authorization code or refresh token. E.g. `resource=https://graph.microsoft.com` to get an MS Graph API access token. In the case of your API, you should use either its client id (application id) or its Application ID URI (found in Properties). — juunas, Jun 08 '18 at 12:18
@juunas should we specify a resource in the openid connection configuration? when i specify the resource in openid configuration , it throws a bad request error . while registering the web api, do we need any additional scopes to be configured? — NewtonCode, Jun 11 '18 at 05:57
Maybe my article and sample app will help: https://joonasw.net/view/aspnet-core-2-azure-ad-authentication — juunas, Jun 11 '18 at 05:59
@juunas getting valid access_token when commenting GetClaimsFromUserInfoEndpoint property — NewtonCode, Jun 11 '18 at 07:05
using the access_token gives me unauthorized error , while using id_token returns result — NewtonCode, Jun 11 '18 at 07:07
Then I guess you have setup the API with the same identity as the app. Best practice would be to use a separate app identity for the API. — juunas, Jun 11 '18 at 07:08
I have two separate app registrations , one for web app and other for web api..the web appis given delegated access to web api — NewtonCode, Jun 11 '18 at 07:12
Have you configured the API correctly to accept its client id or App ID URI as valid audiences? — juunas, Jun 11 '18 at 07:13
yes, because i can see the aud claim to be the correct clientId — NewtonCode, Jun 11 '18 at 07:15
No I mean the API that receives the token specifies valid audiences. That is setup on the API side. The token sounds like it is generated correctly now, but the API refuses to accept it. — juunas, Jun 11 '18 at 07:16
Audience is set to the clientId of webapp as jwtbearer option in startup. I am confused as to why it is still getting rejected . But using id token gives me a valid response — NewtonCode, Jun 11 '18 at 07:18
You answered your own question just now :) JWT Bearer options audience should be client id of the **API**. If you set it to be the client id of the Web App, it will only accept id tokens given to the Web App, and you share the app identity essentially. — juunas, Jun 11 '18 at 07:19
When you configure the `Audience/ValidAudience/ValidAudiences` in the API's JWT options, that configures validation that checks that the `aud` claim in the token matches what is configured. If it does not, you get a 401. — juunas, Jun 11 '18 at 07:21
@juunas perfect...i understand my mistake now..thanx a lot!! — NewtonCode, Jun 11 '18 at 07:23

score 1 · Accepted Answer · answered Jun 11 '18 at 07:26

To sum up the discussion in the comments:

Use the client id/application id or Application ID URI of the API as the resource when acquiring access tokens
Configure the API to accept one or both of the above as valid audience
Removing GetClaimsFromUserInfoEndpoint gave a valid access token

You can check more information on setting up Azure AD authentication in ASP.NET Core MVC (2.0) app here: https://joonasw.net/view/aspnet-core-2-azure-ad-authentication.

You can also find a sample app here: https://github.com/juunas11/aspnetcore2aadauth

Azure AD returns Unsigned Id Token while requesting renewal using refresh token

1 Answers1