Azure Active Directory Access Token from Id Token

Question

I'm using webView to build a mobile app. It means we're writing in HTML/JS hosted locally (file system), receiving data from APIs. Using ADAL.js I received an id_token, trying to use it to get an authentication token, as described here results in a 401 Unauthorized.

Is some configuration missing?

Request:

POST https://myAMS.azure-mobile.net/login/aad HTTP/1.1
Host: myAMS.azure-mobile.net
Connection: keep-alive
Content-Length: 1264
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, */*; q=0.01
Origin: file://
Authorization: Bearer ey...Ww
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; en-us; Nexus 4 Build/JOP40D) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2307.2 Mobile Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

access_token=ey...Ww

Response

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-IIS/8.0
WWW-Authenticate: Basic realm="Service"
Access-Control-Allow-Origin: *
X-Powered-By: ASP.NET
Date: Mon, 27 Jul 2015 10:47:45 GMT

Answer 1

This is likely an audience mismatch. ADAL.JS obtains an id_token via implicit flow, which requires to identify the target resource by its clientID (a GUID). I am not in the mobile services team, but I assume they expect in the incoming token the app ID URI instead. You need to get an access token in order to get an audience other than the clientID. The asmple in https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet shows you how. Disclaimer: ADAL.JS is not designed to be used in a web view. You might find its use difficult in that scenario. For those cases, we provide a Cordova plugin: http://www.cloudidentity.com/blog/2015/04/06/adal-plugin-for-apache-cordova-deep-dive/