CODEWITHSUNDEEP
azureazure-web-app-service
David Farr
David Farr

Reputation: 143

How to get Azure easy auth JWT access_token

I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.

All /.auth routes exist on the service, and I can log in. After successful login I can call /.auth/me to get the access_token. The response looks like:

[
  {
     "access_token": "AQABAAAAAA...Gni4EiQgAA",
     "expires_on": "2017-02-28T19:17:08.0000000Z",
     "id_token": JWT TOKEN
     ...
  }
]

I then use the access_token in an authorization bearer header to request data from the service.

"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"

My service returns the following error

IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.

The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.

According to this discussion the access_token is intended to be used as a Bearer token. I have also read here that the access_token is supposed to be base64 encoded but this does not appear to be the case.

Additionally, if I use the id_token as a Bearer token, then authentication works as expected (the id_token is in JWT format).

Edit

When I manually implement the Oauth flow as described here, I receive a proper JWT access_token.

GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri

Followed by

POST
https://login.microsoftonline.com/common/oauth2/token
  grant_type=authorization_code
  client_id=client_id
  code=CODE FROM ABOVE
  redirect_uri=redirect_uri
  resource=resource
  client_secret=client_secret

RESPONSE
{
  "access_token": JWT TOKEN,
  "token_type": "Bearer",
  ...
}

Upvotes: 6

Views: 12374

Answers (1)

Bruce Chen
Bruce Chen

Reputation: 18465

How to get Azure easy auth JWT access_token

According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type is id_token. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:

enter image description here

Note: If you do not specify the resource for additionalLoginParams, you would retrieve a access_token that is not in JSON Web Token (JWT) format.

I then use the access_token in an authorization bearer header to request data from the service.

For accessing your service, you could leverage AppServiceAuthSession cookie or you could use Authorization:Bearer "{your-id-token}".

For more details, you could refer to this similar tutorial.

Upvotes: 7

Related Questions