9

I'm trying to set up an Azure Web App to to authenticate with Azure AD and refresh ID Token behind the scenes automatically. A great blog post helped me understand how the whole thing works: https://cgillum.tech/2016/03/07/app-service-token-store/

And this guide linked from it helped me set it up: http://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/

It seems enabling refresh tokens for Azure AD authentication isn't that simple so as recommended I used the aforementioned guide to set it up as if it were for GraphApi.

The problem I'm having is even after calling the ".auth/refresh" endpoint and then calling the ".auth/me" endpoint, the only token which is refreshed is the Access Token. That token is of no use to me since I use the Id Token when communicating with my backend server (using an "Authorization Bearer" header).

So how do I get the Id Token to refresh as well?

Chris Gillum
  • 14,526
  • 5
  • 48
  • 61
Niv Nahmias
  • 93
  • 1
  • 1
  • 5

2 Answers2

11

Unfortunately AAD does not support refreshing the ID token. Only the access token can be refreshed. See here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/#refreshing-the-access-tokens

But even if it could be refreshed, it's more correct to use an access token when authenticating with another service, so I suggest changing your apps to work this way. The claims on the access token and the id_token are very similar so it should not be a very disruptive change.

Chris Gillum
  • 14,526
  • 5
  • 48
  • 61
  • 2
    Hey Chris, I see from your comment that we should be using `access_tokens` instead of `id_tokens`, but I've found that only the `id_token` works for bearer auth. Do you have any guidance on how to use an `access_token` when performing bearer authentication? – nick_w Sep 27 '16 at 22:13
  • 1
    Access tokens should definitely work for bearer token authentication. If it's not working, then you'll want to look in the server-side logs for the validation error. If this is a web app with Authentication / Authorization, then you can find this information by enabling Application Logging. My guess is that it's an audience validation failure, which are easy to fix. – Chris Gillum Sep 28 '16 at 19:44
  • 1
    Does this apply even to our own API Apps? I just checked the logs and got a JWT validation error when using an access token for bearer auth. – nick_w Sep 28 '16 at 20:02
  • 4
    Your claim that "access token and id token are so similar you should change everything to use access token" is a little bit risky. Open ID was not developed just because some guys were bored and didn't want to use access tokens to authenticate, they were developed because they have a different scope. While access tokens grant you access to protected resources in third party APIs, id-tokens give you a way of authenticating an user without having to require any specific access, and so they should not be confused nor replaced. – Andrés Monge Moreno Jun 29 '17 at 23:40
  • 3
    @AndrésMongeMoreno You're taking my response completely out of context. My suggestion to switch to access tokens is because *that's the proper way to do OAuth*. The comment about common claims is specific to AAD's implementation (OIDC does not apply here) and was only to indicate that it's not a breaking change for the OP's server-side code. – Chris Gillum Jun 30 '17 at 21:29
1

This is no longer true. Refreshing a token with a scope that includes openid now returns an updated id_token as well.

Mike Barry
  • 953
  • 5
  • 15