1

I followed MS auth flow procedure to get access token for my user

https://learn.microsoft.com/en-us/graph/auth-v2-user

I got the authorization code and use it to get the access token, now I'd like to know what organization this user relates to, so basically get the tenant ID. I did some research and found similar problem with the solution to parse the token with jwt.ms and get the information from the context of the token

How to get the organization (tenant) id from user profile using the Microsoft Graph API

However my token can't be parsed even though I can access API successfully with it, so what's wrong with the token and how I can get tenant information in this case.

EwB4A8l6BAAU6k7+XVQzkGyMv7VHB/h4cHbJYRAAAWz180lZTbJUbh6TAov+diYnFv/BAIuLw3WArAQXqP6G9ZUwSQUAyAmzwR7K5xCElA1vJMdAN/zyQ4WhG2Kf4PdztF5CrGsVL/Ne3KmAx8uu6NlmJsSCb3NlHWeJPc775Hepg7t/Twf0b/s//H8q5wS1uWI3cxo69v3Mrlxe7+9MCIyEuwl+2Zao/zO2puOwnmB3ATwi59P1t1UZuN9ABnnjW077/sdzhJztWYSUEAFkjMMibOhkGVe7kbNKqnW+aKJ5MgQ/J9jFxO+x30izhGZxRRKP4FQnW7LzI53CURXWoYF6E1EWBchrAdSeVjXU6gaacRGzenMMOWP9SbHSG3UDZgAACDrNVXGaAj+7SAJMl3SNFg0WntT4/e8Zq7wAL+41n+bRKhj6k4cs5MpCHoVdb+D4tteLULOS28dj119OlpU82YAYMMEz6HvrqisogGszHH28QZHIbYiKf3ql0mDypQoyaJFZ3s4J70PMHwLEiZQor9nE2cf2LNGRr+NRG6o5UxQx/eIkX3c2jrZmsuYaLMobTc2GriyTEtN2uznv0Ixfhe2B0lcFOHtgAyWfagyYySk3prQ06jGIe81mDvlaqzUwdN2+l6Tnc7ktZqgPvjFpCJzUe1yacYtCwU/T9sIqu7SKhNT0SLMq/GOK8VMAqJG30sRRSrl7FjUyL8CpeBZh6qKKkCXTOCA9WtkqtJrzDnQPYu3RvwGRdDnyJD3J5q72EflTn1JE+jqMbXe1oGYBMF1WObeUCuj3tX8aVzxD+JXqp+UlvdvyJbmwsge/cqWgzVbtOFk7SNSkVjaNoA2SnzprNuT9qeRsJovPyly6f+BdrfaBUxuGnq3b5FWD+TG4nbAyGWz6sk/ez5loUoJzivr0c4EYACOlqi9wfX7j/11goiM+UNxvtJ9eXCWY/ZvCO93GOrvXkgAhGFY5B7/bkLTQ4DjMJn4o13y/5HFfRF3NDVTvLR7m9eK891q4DihXu3JA0ZVlO27JS2MAwrxj5s4L2aAliPJU/IHnEXgr0Pih4UcRDjnfDVl3poz8nhjKUtoZgg7Ir059Vy76Nvb3x1XQRbsJy90emYJn5qMJB0+d9YNn/FFzuC7zWWl+8bUou8mP7f1kVEICdglwFDPqixGBJpwC

enter image description here

UPD

I'm on free personal MS account, the chain of calls looks like

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

teamsScope=offline_access,User.Read,Files.ReadWrite

{
    "token_type":"Bearer",
    "scope":"User.Read Files.ReadWrite profile",
    "expires_in":3600,
    "ext_expires_in":3600,
    "access_token":"EwB4A8l6BAAU6k7+XVQzkGyMv7VHB/h4cHbJYRAAAR5OqwjPkutcuJ2gqMJgwv0Si4gZSYV978hSPi1z4vpbgXe4lUPNF0pR1BUY/8boa06hZnvyjhlDdMO5iNs/y0vzzXVo5AhrAogH89vxQ7k9m+G7aZpn0RsphyqyPQg27b1s8EVMaxJrDChr+zt8fTxcNnFMqXma1ycchAh6A1rZf4plTaKkHSU7q6x5zALw2JbXhKlIL+TVZFcLixzs84MP4Bc4OP/4Umhr18+lk9TkAO2jic26jkkcxJ5rl/NuKaw59dNqrfXFT51NsErdNM5AViTMjNUPSANhk1BGOLmVNUCCQkZu1KI0AdHVc+/9WjOI8Ie+ar8ib9vO8kFHlCMDZgAACPGA1GdE+yj+SAJCyS8jQBE88Phojtj+Mgjwtkaw6IByIWrTXTmEDowMRnYmgnr2FJvuHDRIlZaKnyYpJ4+BEeZBLp2Fw7BjDKCfgv2zPEIRXSZ8+VKO9BqpgfN1X3KlQrlqOO3tht6LL6Ji6t3vjJyhGocrpBQdwCeWaMBJzQkB4csMvXzyGLnJCIvY6IqMJMV/tvjJXcgrV3EJpMUoA63pPtu7d4YU2kaNMPnVRWTI2rXzSpS7Q4ztRRJadrUUOpxuOHjLECoLk1GtHHDlu1hfDNqRu9L/3rmIIz8TuoF38gwvj4hPTgXdjNh3zZDqvsK10jxj6a39u7eiy6poqvAP7G3JaBiVUGFcrA5kbcKXUT1eoQYNJGElOWOskWFBEO2h4w5d3zwu9wglFBhRhAH4YPd9d4k1LC7Jj5lxpOIGtfUNfcXjDDp2K1euuwOrhc5dW0WvUNR8Np0zSPwsrOhh9wASn4Ta2b3Z3Bn2c34jQmDxwMGGevU6a7SDDeE0QjIR0SN7kTro5cQawxJWf06JPayhK6Sx1SDMT3s1Mp5XXnB4tci2s+5MxxZ4NZduLKNJHh8+dojxHZ8KoSCYNa1NYUUAKZPG5Aao+NGAtD5uh3r58iFhAp2SHi6QH4TUyCMo1De8VXjSVS5fER8CPWBxldVrzxjMv1ffaSBphlT+ilxOJiL4IIKWkCdpru3c3J+eNrJ4N+873mLxYBRrGb+q7r4GkfdHhXyiR1eo0BD0aXOu1iBxsr7xLL00PE23quiXiV7s6GfL3ZKQ0h5jqWwcW5wC",
    "refresh_token":"M.R3_BAY.CR9WAnqQDx9dzRd7Z7FrfDQMax0HCeVHW11xHOkMdnK3mGP4Pg!QcenTD3IKtJ0Tip948K!f93euTYcqyi8BOewY1ReYXRT4sOmHs!sR2290!*fez7m2xYXE8d3UHuuli2jWpXnbD*cg3l4HTpX90EoBzIg0U!soQnA5qRiHhMoBWqUnOm5Az6P6VplfNYTLnR1G0QF4yWpU4UJbDMe*kqsgf0h9dfQoyLLHYTXPnvZgkDIBlrYIAUOG7wglOFVLr!Rx9zCCvMCO13Irde*He5Uac2TKRxKHL5tzwSx1f4JlzYuEKOqt1iLOu9JHKV4SQ7zk!HjtPp4ZnxPzMPzuihFCOps*!20sm5Ux7ZARrt9OhIHicpun4uIz61VQrmXP!zqATVFohECSAh27zEZtIEDjAzSYkeAtVDzP75YnO2ARBjhNYCxbHyXww4WLhcA3CA$$"
}
hdmiimdh
  • 384
  • 6
  • 19
  • Trying to decode the token here: https://jwt.io/ and it says that the header is not encoded correctly using base64url. Do you really use access token? – user2250152 Feb 15 '21 at 15:08
  • I can call their API with it later on with no issues, this is the token I get from the MS – hdmiimdh Feb 16 '21 at 05:41
  • This is related to your account type. If your account is a personal account, then your token is like this. – Carl Zhao Feb 16 '21 at 06:41
  • Ahh I guessed this might have smth to do with the account, thanks for clarification – hdmiimdh Feb 16 '21 at 06:55
  • I will post the comment as an answer, if it helps you, you can [accept](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) it as an answer, thank you. – Carl Zhao Feb 16 '21 at 07:23

2 Answers2

1

This is related to your account type. If your account is a personal account, then your token is like this.

If you want to obtain a token in jwt format, you can add the personal account as a guest account to your Azure tenant. Then change /common to /tenant id.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks, quick question does this mean that only users under `/tenant id` will be able to pass through my app auth? – hdmiimdh Feb 16 '21 at 08:01
  • @hdmiimdh No, if your application is a multi-tenant application, then it also accepts personal Microsoft accounts that are not under the tenant id to log in to the application. But you need to use the `/common` or `/consumers` endpoint to log in. The access token obtained by this method is just like the one you provided. – Carl Zhao Feb 16 '21 at 08:17
  • Carl, so you mean even with work or school account I'll get non JWT token using `/common`, but how to get the tenant information in this case? – hdmiimdh Feb 16 '21 at 13:18
  • @hdmiimdh You misunderstood what I meant, I just said that personal accounts can log in to multi-tenant applications. If you are using a work or school account, I suggest you use the `/tenant id` endpoint, and you will get a JWT token. – Carl Zhao Feb 16 '21 at 13:26
  • Carl, kk thanks, let me try this out, however I have no clue how to create organization account (taking into account that we have no organization yet), posted another question so you might be helpful there as well https://stackoverflow.com/questions/66238524/how-to-create-new-microsoft-organization – hdmiimdh Feb 17 '21 at 08:52
  • I don't think this should be an accepted answer. It doesn't help resolve the issue, which is that the OAuth app in azure says personal accounts can log in, but the token type returned is not a proper JWT. We cannot add each personal account as a guest - the idea of a multi-tenant app is that anyone can log in... @CarlZhao - where are the details in docs about this kind of token. Is it possible to get a well formatted JWT token from `common` endpoint for a personal account... – ortonomy Jun 27 '23 at 13:55
0

I think you are doing something wrong. If you followed the guide, at some point you should have called POST /{tenant}/oauth2/v2.0/token which will give you an access token and a refresh token if offline access is enabled. The response would be something like:

{
    "token_type": "Bearer",
    "scope": "user.read%20Fmail.read",
    "expires_in": 3600,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4..."
}

Having looked at your token, it is not a valid jwt and that is why jwt.ms wont decode it. Because Graph uses Json Web Tokens(JWT), You access token should be structured as header.payload.signature. You can get more familiar Graph API Tokens here

Danstan
  • 1,501
  • 1
  • 13
  • 20
  • Updated the question with more info, please see UPD section, I did everything according to the guide, but the token I got cannot be parsed even though I can access their API with it later on so smth to do with the type of the account? (I'm on free personal MS account) – hdmiimdh Feb 16 '21 at 05:45
  • Let me follow through the flow again and see if I can get the kind of token you are getting. – Danstan Feb 16 '21 at 05:48
  • @hdmiimdh I Carl's answer is accurate enough so I will just leave this one here. I didn't realize that the token is different for personal accounts using `https://login.microsoftonline.com/common/oauth2/v2.0/authorize` – Danstan Feb 16 '21 at 09:55