Azure access token and ID token, verification

Question

i'm having problems understanding the verification and validation of a token.

I have a server running that is registered on Azure with Application id = SERVER_ID

I also have a client application registered on azure with Application id = CLIENT_ID

In python with msal library, I can acquire a token for the server with the username and password workflow:

import msal

app = msal.PublicClientApplication(
    client_id=SERVER_ID,
    authority=f"https://login.microsoftonline.com/{TENANT_ID}",
)

result = app.acquire_token_by_username_password(
    USERNAME, PASSWORD, scopes=["User.ReadBasic.All"]
)

this result has inside an access_token and an id_token. I can successfully validate the id_token by using this library (https://github.com/yejianquan/gems/blob/823076051695029b4d699744dc76c959a8476230/src/python-azure-ad-token-validate/aadtoken/init.py)

but cannot do the same with the access token.

On the other hand I can also get an access token for a client application like this:

import msal

app = msal.ConfidentialClientApplication(
    client_id=CLIENT_ID,
    client_credential="WAUISbaiud.askljdUHDIKAOUSDOAO",
    authority=f"https://login.microsoftonline.com/{TENANT_ID}",
)
result = app.acquire_token_for_client(scopes=[f"{SERVER_ID}/.default"])

inside result there's only access_token that i can verify with the previous library.

Assuming i make requests to the server by adding the token in the headers:

headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/octet-stream',
}
response = response = requests.get(url, headers=headers)

which token should i use? the access_token or the id_token? if it's the access_token how should i validate it in case of the username/password workflow? do i have to use some private key? and when?

Many thanks

Looks like you are trying to validate an MS Graph API access token. You won't be able to do that as the format is somehow different for them. You should not be validating tokens not meant for your API anyway in general. — juunas, May 16 '23 at 11:06

score 0 · Answer 1 · answered May 17 '23 at 11:53

I created an Azure AD Application and added API permissions like below:

enter image description here

Now, I generated access token using username and password workflow in Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
username:admin@xxx.onmicrosoft.com
password:***
grant_type:password
scope:User.ReadBasic.All

enter image description here

When I decode the token, I got the error Invalid Signature like below:

enter image description here

Note that: The Graph token is not meant for the application and hence they are not meant to be validated. By using the token, you can call the Graph API and decode the token to check if there are any missing permissions.

You should treat access tokens as opaque while calling Microsoft Graph. Refer this SO Thread by Jim Xu.
You can generate the ID token which can be validated as suggested Bruno Marotta in this SO Thread.

Hence, to validate the token pass scope as api://ClientID/admin.read like below:

enter image description here

Now, signature verified successfully with aud as api://ClientID like below:

enter image description here

Azure access token and ID token, verification

1 Answers1