8

Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint. The authorization endpoint I am using looks like this:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123

Yet, it seems that I get a 'v1' access token. What am I doing wrong?

enter image description here

bandreas
  • 869
  • 1
  • 8
  • 25
  • Are you including the proper scopes? https://stackoverflow.com/questions/45852984/azure-ad-token-endpoint-doesnt-return-an-access-token-just-an-id-token-and-a-r – Marilee Turscak - MSFT Jan 03 '19 at 20:31
  • 1
    that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: https://learn.microsoft.com/ro-ro/azure/active-directory/develop/access-tokens#sample-tokens – bandreas Jan 04 '19 at 14:24
  • @bandreas where did you ran your request? – Ronald Abellano Aug 21 '20 at 09:12
  • @RonaldAbellano - i do not understand your question: "where did i run my request". anyway meanwhile my issue may have become obsolete if AAD would have switched to v2 as default. – bandreas Aug 22 '20 at 12:57
  • For the people still banging their heads on the wall; I've noticed always receiving a v1 token when the correct scope has not been set. I just had ".default" as I got an error with "api://xxx-xxx-xxx-xxx-xxx/" and it succeeded.. but gave me a v1. api://xxx-xxx-xxx-xxx-xxx/.default -> this one gave me a v2 token; do note that you should probably not use this scope in many cases, but it's a starting point. – The_Switch Jun 29 '23 at 13:59

2 Answers2

10

Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered. Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest. Initially it was 'null' but I've changed it to '2' (as below). enter image description here

According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.

Thanks for the lead on this issue.

Regarding the way an app is registered, there is indeed a difference: - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null' - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2' If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.

bandreas
  • 869
  • 1
  • 8
  • 25
  • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no `accessTokenAcceptedVersion` for the v1 app. – SunnySun Jan 09 '19 at 07:20
  • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no `accessTokenAcceptedVersion`. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the `accessTokenAcceptedVersion` is null, so suggest you do not check v1 app manifest in the app registration(preview). – SunnySun Jan 09 '19 at 07:21
  • It looks like the App Registration Portal has been retired. It says it is "no longer available to register and manage converged applications", and instructs you to use the Azure portal instead. – Collin K Aug 31 '22 at 21:35
  • is there anyway to set accessTokenAcceptedVersion using azure cli? the update command with `--set` is not taking – Amal Ps Sep 23 '22 at 07:58
2

The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.

On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123

And to parse access_token: enter image description here

SunnySun
  • 1,900
  • 1
  • 6
  • 8