1

When requesting a token and id_token from Azure using the implicit grant flow using a request like

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=token%20id_token
&redirect_uri=http%3A%2F%2Flocalhost
&scope=openid%20user.read
&response_mode=fragment
&state=12345
&nonce=678910

I'm successfully getting a response back with an "access_token", and an "id_token".

From what I've read, when decoding the "id_token" I should see information about the user (like name, email, picture, etc), and the "access_token" (should not be decoded) is what should be used to use as the "Bearer" token in the "Authorization" header.

When I view the token details with https://jwt.ms the "access_token" is the one with the user details, and the "id_token" has none.

When I try to access my API with the "access_token", it doesn't allow, but if I access it with the "id_token" it does.

This seems contradictory to the documentation so I'm wondering if someone can clarify for me?

a344254
  • 571
  • 2
  • 9
  • 20

2 Answers2

1

You are right - the ID token is the one which gives your app information about the authenticated user, the access token is the one that you should use to access MS APIs. That said, please note the following.

When I view the token details with https://jwt.ms the "access_token" is the one with the user details, and the "id_token" has none.

What do you mean by "user details"? Usually the access token will contain some details about the user, which the APIs would need to perform proper authorization. Very often it will be the sub claim, but there might be some other claims as well. Note also that by default the ID token doesn't carry much information about the user either. You have to request other openID scopes, like profile or email to get more information about the user in the ID token. Here's the documentation of what claims you can find in the ID token, and which scopes should be requested to get these claims: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens.

When I try to access my API with the "access_token", it doesn't allow, but if I access it with the "id_token" it does.

What do you mean by "my API"? Is it an API you created from scratch, or some API you deployed using Microsoft tools? Are you sure that your API is configured to be accessible with an access token from Microsoft? Usually that token would be used to access MS APIs, not your own.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41
  • "my API" refers to an Azure function app that I wrote from scratch. I'm a newbie at this so you'd have to point me in the direction of where to specify that it's accessible via an access token from Microsoft. I currently have my function app's "authority" using the Microsoft/Azure identity provider, connected to my "app registration". This app's "authentication" is configured with a "Web" platform returning access and id tokens. This app is connected to an "Enterprise App" with "User assignment required" enabled, and certain users/groups specified as to who can access. – a344254 Jan 27 '22 at 12:15
  • Unfortunately I don't know that much about Azure functions. Maybe there are some tutorials out there which would show how to create a common setup? – Michal Trojanowski Jan 27 '22 at 12:31
1

Depending on how the authorization server is configured, the returned id-token might not contain that many user claims.

But how will the client get the missing information?

The client can then do a background request to the UserInfo endpoint to retrieve the additional claims and user information. by doing it in this way, the id-token size is reduced.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40