1

I am new to openid and aad.

I have an API which calls a downstream Graph api. I was following the example below, https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core

Everything worked fine.

But the front end is a third party app, which access my API.

They said they are using opened connect to authenticate the user. They are following Auth grant flow(https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code), so I expected then to have a JWTs access token. But when I try their access token, it says unauthorised. I tried to decode their access token using jwt.ms, but that did not work either.

Now my question is, is the access token got from ADAL.net authentication different from opened authentication? Is there a work around?

Any help really appreciated.

Thanks in advance.

NewBieDevRo
  • 487
  • 4
  • 22
  • To clarify your theoretical question.. ADAL.NET library can help you acquire tokens from Azure AD, compliant with OAuth 2.0 and OpenID connect protocols. Specific to your case.. if access token was acquired using the Auth code grant flow you mention and with correct parameters, it should work for your API. Two things to check **1)** Make sure that access token was acquired specifying your API as resource and only then it would be valid for your API. **2)** You might be getting ID token and Access token, make sure to use the right one. – Rohit Saigal Mar 19 '19 at 01:52
  • @Rohit, so the third part said they configured the app to use openid scope to get signed access token. This is what confused me. i could not understand what signed access token was also openid scope? As i mentioned I am new to this. So they said token might be different due to openid scope. I will check with them about the resource parameter when authorizing. – NewBieDevRo Mar 19 '19 at 06:20
  • Here’s a sample request for access token that also uses openid scope.. https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#get-access-tokens ..just make sure the value of ‘resource’ exactly matches App ID URI for your web service. – Rohit Saigal Mar 19 '19 at 07:58
  • the documentation says &resource=https%3A%2F%2Fservice.contoso.com%2F // The identifier of the protected resource (web API) that your application needs access to. What is this identifier? Is it the APP ID URI? – NewBieDevRo Mar 19 '19 at 10:06
  • Could you please write this as the answer. it worked for me. – NewBieDevRo Mar 19 '19 at 14:03

1 Answers1

0

To clarify your theoretical question.. ADAL.NET library can help you acquire tokens from Azure AD, compliant with OAuth 2.0 and OpenID connect protocols.

More specific to your case.. if access token was acquired using the Auth code grant flow as you mention in question and with correct parameters, it should work for your API.

Two things to check

  1. Make sure that access token was acquired specifying your API as resource and only then it would be valid for your API.

    Here’s a sample request for access token that also uses openid scope.. Get Access Tokens

    Value of resource should exactly match App ID URI for your web service. To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the your application's Settings page, then click Properties.

    GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e        // Your registered Application Id
&response_type=id_token+code
&redirect_uri=http%3A%2F%2Flocalhost%3a12345          // Your registered Redirect                 Uri, url encoded
&response_mode=form_post                              // `form_post' or 'fragment'
&scope=openid
&resource=https%3A%2F%2Fservice.contoso.com%2F        // The identifier of the protected resource (web API) that your application needs access to
&state=12345                                          // Any value, provided by your app
&nonce=678910                                         // Any value, provided by your app

  2. You might be getting ID token and Access token, make sure to use the right one

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32