Reputation: 2605
id_token is malformed when calling refresh token
As part of our Azure API Management set up we are using oAuth 2.0 combined with Active Directory.
we are using the id_token (JWT) to authenticate, which is working well.
we can request an id_token via the redirect url (microsoft login) and this token can be used to call our API successfully (validated again our API policy).
The problem occurs when we want to refresh the token.
We follow this process: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#refreshing-the-access-tokens
As you can see, i get an id_token back (because the scope openid is passed) but the problem is, the id_token is malformed.
Instead of making up of 3 parts e.g. AAAA.BBBB.CCCC
The id_token returned, only has 2 parts (missing the signature) e.g. AAAA.BBBB.
when using this id_token to authenticate, it obviously fails :(
Upvotes: 1
Views: 844
Answers (1)
Reputation: 4681
I'm not sure why the id_token only has two parts but isn't it the access token that you should be sending to authorize requests? Perhaps the id_token was working earlier because it was signed by the proper authorization server but should have been the access token all along? It's the access token that's supposed to be refreshed after all.
I assume you sent "offline_access" as one of your scopes when you originally got your valid id_token, access_token, and refresh_token or you shouldn't have received an refresh_token. https://www.rfc-editor.org/rfc/rfc6749#section-6 says that if you provide a scope on the refresh request, your access token shouldn't be limited to the scope(s) provided in the refresh request. The openid connect spec (http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse) says that a refresh request is like the token request except it "might not contain an id_token". It seems to me that all bets are off when it comes to expecting the id_token in the refresh response unless it's an implementation-specific feature in Azure.
"id_token--An unsigned JSON Web Token (JWT). The app can base64Url decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens see the v2.0 endpoint token reference."
Notice it's unsigned. That's your missing third part of the jwt.
Upvotes: 2
Related Questions
- Failure to generate access token using refresh token for O365 API
- OAuth refresh_token call from Azure App Service returns Bad request
- Azure - Obtain user refresh token fails
- Azure Graph API 2.0 error in refreshing token: Provided grant is invalid or malformed (AADSTS70000)
- Token refresh fails with invalid_client error
- Azure v2.0 Refresh Token, returns another Refresh Token
- Refresh Token is missing in the JWT Response
- Refreshed OAuth2 token has invalid signature (Azure AD OAuth2)
- Azure AD returns Unsigned Id Token while requesting renewal using refresh token
- Invalid refresh token while trying to refresh an access token on Office365 APIs