0

Say I have clientId, tenantId, tokenType, redirectUri etc in azure. Can I use those parameters to get access token directly?

I know there is a way which is to combine them together to create a long string.

const url = 'https://login.microsoft.com/'+ tenantId+'/oauth2/v2.0/authorize?client_id='+clientId+'response_type=id_token&redirect_uri=window.location.origin&response_mode=fragment&scope=openid&state=11111&nonce=11111';

Then I open a new window

window.open(url, '_self');

Once the new window pops up, the url is pretty long. It contains the token and idtoken all the information.

But I don't want to use this way because expose the token in uri is a bad thing. I want to use clientId etc to get the url fragment in the code directly. I guess that msal internal hacks it but just not sure.

UPDATE:

I meant that I put the long string in POSTMAN post request even set response_mode=form_post then click send button but I just got a bunch of HTML. Is that the correct way to do that?

Bigeyes
  • 1,508
  • 2
  • 23
  • 42
  • See the answer below. If you don't want to get the response in URL then you don't want to set the response_mode to query or fragment. The remaining option is AAD making a POST request to your redirect URI. This is how it works with MSAL.js as well. – derisen Aug 23 '21 at 22:59
  • Could you explain it more? My `redirect_uri=window.location.origin`, how to write http request then? – Bigeyes Aug 23 '21 at 23:07

3 Answers3

0

You can try using response_mode=form_post, access_token , id_token will be sent as post parameter to redirect url. Since tokens are part of post parameters it is not part of url but request body. You can use developer tool to see http trace of the request.

aakash wasnik
  • 32
  • 2
0

Get the answer by myself. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

Click postman in the url, replace some parameters. The token will be displayed in the redirecturi address bar. But it is not good since it is implict flow.

flow

Bigeyes
  • 1,508
  • 2
  • 23
  • 42
  • If you don't want to get the token in the browser address bar, then why don't you use the auth code flow? – Carl Zhao Aug 26 '21 at 09:09
  • By the way, the implicit flow must obtain the token in the browser. If you want to request a token in postman you can use auth code flow or daemon-based client credential flow. – Carl Zhao Aug 26 '21 at 09:13
  • @CarlZhao, could you please give a detail answer to request a token in postman by using auth code flow? I can't figure it out. – Bigeyes Aug 26 '21 at 13:50
  • I posted the answer. – Carl Zhao Aug 27 '21 at 02:31
0

Implicit flow is usually used in single-page applications. If you are not using a single-page application, using this flow will not make sense.

The auth code flow can only obtain the authorization code in the browser, and then use the authorization code to redeem the token in postman. The auth code flow does not support obtaining tokens directly in the browser address bar, so in your question, you should use the interactive login auth code flow.

1.Request an authorization code in the browser.

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

2.Redeem token in postman.

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • I got an error when put the long string in uri address bar and hit enter. `AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption. `By the way, my application is angular, any specific setting in azure? – Bigeyes Aug 27 '21 at 11:58
  • @Bigeyes I don’t think there are any specific settings. As for your error, please refer to my previous answer: https://stackoverflow.com/questions/64692600/aadsts9002325-proof-key-for-code-exchange-is-required-for-cross-origin-authoriz/64693391#64693391 – Carl Zhao Aug 30 '21 at 02:45
  • Thanks for your information. That is my confusion, I use msal 2.0 for angular. I added redirectUri in spa platform. Is it wrong? – Bigeyes Sep 01 '21 at 07:39
  • @Bigeyes Is your application a SPA? Do you have a server? – Carl Zhao Sep 01 '21 at 08:13
  • @Bigeyes If your application is set up as a single page application and there is no server, then you will only be able to use implicit flow. – Carl Zhao Sep 01 '21 at 08:22
  • Yes, I have the spring boot as the backend. It runs on localhost:8080 in local. In dev we use aws. We registered the application as SPA in azure maybe(how to check it?). We use msal 2.0. I think that is auth code flow. Is it correct? – Bigeyes Sep 01 '21 at 13:52
  • @Bigeyes That's correct. When you add redirectUri to the spa platform, your application will be recognized as a spa application. The solution is that you only need to add redirectUri to the web platform, and then delete the redirectUri of the spa platform, and then you can use the auth code flow to obtain the token on the backend. – Carl Zhao Sep 02 '21 at 09:50
  • Hi, thanks for your nice answer. But the thing is that in my case(angular + spring boot), I issued a ticket in github msal, the Microsoft msal team answer me: with msal 2.0 I have to use redirectUri in spa platform rather than web platform. – Bigeyes Sep 02 '21 at 14:13