Reputation: 13
How to get access_token for MS Graph and id_token through /authorize?p=<POLICY>
What I want to achieve is quite simple - let the user sign-in with Azure AD B2C Sign-In policy and acquire a access_token to communicate with Microsoft Graph API and a id_token to communicate with a private API. All this would be done in a single-page application (using ReactJS).
Perhaps there is a way to acquire access_token for Microsoft Graph API from an AAD B2C id_token? As I can without any problems retrieve the id_token.
I've already looked at various MS Graph scenarios, tried a sea of different variations of how I could construct the sign-in url, but always end-up missing something (code, token, id_token)
The App that I'm using for this was created on apps.dev.microsoft.com, but I'm not sure that it was fully configured correctly (not that there is much to configure).
And here is the output of the https://login.microsoftonline.com/{{tenant_id}}/v2.0/.well-known/openid-configuration?p={{policy}} which indicates that it doesn't support the token as the request_type (if I remove the policy from the query, then it is allowed)
{
"issuer": "https:\/\/login.microsoftonline.com\/aaaaaaaa-aaaa-aaaaa-aaaa-aaaaaaaaaaaa\/v2.0\/",
"authorization_endpoint": "https:\/\/login.microsoftonline.com\/{{tenant_id}}\/oauth2\/v2.0\/authorize?p={{policy}}",
"token_endpoint": "https:\/\/login.microsoftonline.com\/{{tenant_id}}\/oauth2\/v2.0\/token?p={{policy}}",
"end_session_endpoint": "https:\/\/login.microsoftonline.com\/{{tenant_id}}\/oauth2\/v2.0\/logout?p={{policy}}",
"jwks_uri": "https:\/\/login.microsoftonline.com\/{{tenant_id}}\/discovery\/v2.0\/keys?p={{policy}}",
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"id_token",
"code id_token"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post"
],
"claims_supported": [
"oid",
"sub",
"idp",
"tfp"
]
}
I guess what I would like to see as an answer is how can I call the https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/authorize?p={{policy}}&... endpoint, which would provide either id_token + access_token or code to retrieve them form the .../oauth2/v2.0/token?p={{policy}}...
Thanks in advance!
Upvotes: 1
Views: 1510
Answers (1)
Reputation: 2293
As of now, you can get an id_token and an access_token using OAuth2 for your own API, but not MS Graph.
If you have a SPA application, one workaround could be to expose your own API to the client, and that API can internally call MS Graph in application-only context. That is, it will acquire a token using application-only credentials to a given tenant in MS Graph and be able to query any user.
This can also enable you to expose a richer API (e.g. combine user attributes from the directory with application specific data), which the client applications can use for various queries and operations.
You can post a new idea or vote for an existing one (if it exists) regarding access_token to MS Graph in the feedback forums.
Upvotes: 1
Related Questions
- Microsoft Graph API - how to get access token without Authorization Code?
- invalid_grant error when obtaining access token
- Get SharePoint Access token from already generated access token for the Microsoft Graph resource (https://graph.microsoft.com)
- Get access token for Microsoft Graph
- Obtaining a valid access token for Microsoft Graph API
- Unable to get access token from Azure AD when using Microsoft Graph Explorer
- Get AccessToken to Microsoft Graph from Azure App Service Easy Auth
- Not able to get access_token for Microsoft Graph API OAuth 2.0 using username & password
- Getting the access token for Microsoft Graph API
- How do I get an access token from Microsoft Graph API?