Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens

Question

It seems that microsoft will not issue JWT access tokens for personal accounts.

In Azure AD I created an app registration with the type 'Personal Microsoft accounts only'.
My SPA uses that app registration and I can authenticate against it.
After authenticating my SPA receives an id token and an access token.
But the access token does not look like a JsonWebToken.

AFAIK access tokens start always with the characters 'eyJ', but the issued token from Azure AD starts with 'EwC' and when I debug the access token on jwt.ms the console tells me 'Invalid token specified: Unexpected token'.

But this is only the case if I choose the account type 'Personal Microsoft accounts only'.
It works if I'm using the type 'Accounts in this organizational directory only'.

When I send the invalid token to my REST Api I get a 401 response with the header WWW-Authenticate: Bearer error="invalid_token".
The api is configured to accept JWT Bearer tokens and uses the same Azure AD app registration.

Calling the OAuth userinfo enpoint with the issued token works fine.

It's worth mentioning that I use Azure with my personal Microsoft Account.

Is there a way to get JWT access tokens with personal Microsoft accounts?

Answer 1

Reading the friendly manual (RTFM) has answered my question.
I had to create two app registrations in the azure portal.
One for my SPA and one for my REST API and then give my SPA permissions to access the REST API.

It is well described here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

When sending the initial authentication request the scope must include the permission that was granted to my REST API.
The response will contain the JWT access token that is issued for the REST API.

Answer 2

Please check if any of the following is your case to workaround

1) JSON Web Tokens consist of three parts separated by dots (.), which are: Header.Payload.signature .

(image from)

In one of the scenarios like this tokens have format

access_token=EwC...  &authentication_token=eyJ… 

i.e; Access token starts with EwC where as authentication starts with eyJ

So in your case(SPA),it looks like it uses 'id_token' in place of 'access_token'

id_token is JSON Web Token used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.
So try debugging with id_token which might be acting as access token.

ID tokens | Microsoft Docs

OR

Sometimes the token expiry might be the reason that gives invalid token authentication,as token maynot be valid after it expires.

So,check token lifetime and create a new authentication request.

scenarios-spa

Also see scenario-spa-app-registration which says

If your application signs in users, select ID tokens.

If your application also needs to call a protected web API, select Access tokens. For more information about these token types, see ID tokens and Access tokens.

OR

2)

Once the app gets registered , the app communicates with the Microsoft identity platform by sending requests to the endpoint:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Where the {tenant} can take one of different values:

common Allows users with both personal Microsoft accounts and work/school accounts from Azure AD to sign into the application.

consumers Allows only users with personal Microsoft accounts (MSA) to sign into the application.

i.e; in startup class or say authconfig file in SPA

CODE example: /quickstart-v2-javascript-auth-code

           Authority:”https://login.microsoftonline.com/consumers/......”, 

References:

1. active-directory-v2-protocols#endpoints
2. how-to-authenticate-in-microsoft-graph-with-microsoft-personal-accounts-only
3. c-sharp-asp-net-core-bearer-error-invalid-token