6

I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.

All /.auth routes exist on the service, and I can log in. After successful login I can call /.auth/me to get the access_token. The response looks like:

[
  {
     "access_token": "AQABAAAAAA...Gni4EiQgAA",
     "expires_on": "2017-02-28T19:17:08.0000000Z",
     "id_token": JWT TOKEN
     ...
  }
]

I then use the access_token in an authorization bearer header to request data from the service.

"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"

My service returns the following error

IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.

The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.

According to this discussion the access_token is intended to be used as a Bearer token. I have also read here that the access_token is supposed to be base64 encoded but this does not appear to be the case.

Additionally, if I use the id_token as a Bearer token, then authentication works as expected (the id_token is in JWT format).

Edit

When I manually implement the Oauth flow as described here, I receive a proper JWT access_token.

GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri

Followed by

POST
https://login.microsoftonline.com/common/oauth2/token
  grant_type=authorization_code
  client_id=client_id
  code=CODE FROM ABOVE
  redirect_uri=redirect_uri
  resource=resource
  client_secret=client_secret

RESPONSE
{
  "access_token": JWT TOKEN,
  "token_type": "Bearer",
  ...
}
Community
  • 1
  • 1
David Farr
  • 123
  • 1
  • 2
  • 5

1 Answers1

7

How to get Azure easy auth JWT access_token

According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type is id_token. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:

enter image description here

Note: If you do not specify the resource for additionalLoginParams, you would retrieve a access_token that is not in JSON Web Token (JWT) format.

I then use the access_token in an authorization bearer header to request data from the service.

For accessing your service, you could leverage AppServiceAuthSession cookie or you could use Authorization:Bearer "{your-id-token}".

For more details, you could refer to this similar tutorial.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35
  • Thanks! This pointed me in the right direction. However I wonder why this setting is obscured away when the whole permission assignment flow has a UI. – Nitin Badole May 15 '19 at 12:23
  • @Nitin I know I'm replying to this after 3 years. But my objective is the same. And doing so results in a 500 Internal Error response after login. The NodeJS app works perfectly without any additional login param. But adding `resource=https://graph.microsoft.com` results in 500 – Boo Feb 03 '20 at 07:35
  • The resource here should be the identifier for the thing you are trying to grant access to. In my case it was a Function App which we've built separately. So I provided its Application ID GUID identifier from Azure AD. Alternatively this could have been its URL as configured in the Azure AD. – Nitin Badole Feb 04 '20 at 11:18
  • But like Bruce has said, I should be able to get access to graph. Or is it that there is some other ID I have to use? But when I did this the `myapp.com/.auth/me` end point works and gives me a JWT which works with graph. But the app at `myapp.com ` returns 500 – Boo Feb 04 '20 at 14:02
  • I think you need to go here to do this now: [Resource Explorer](https://resources.azure.com/) per [Refresh identity provider tokens](https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#refresh-identity-provider-tokens) – Dustin Jun 12 '20 at 13:05