Azure AD token endpoint doesn't return an access_token (just an id_token and a refresh_token)

Question

I'm using Xamarin.Auth for authenticating users against Google and Azure AD in a Xamarin Forms based mobile app. While everything works as expected with Google, I'm unable to get an access_token with Azure AD:

• Authorize works as expected providing code and state
• Token returns an id_token and a refresh_token, but no access_token.

I can replay this scenario in Postman, so this doesn't seem to be caused by Xamarin.Auth and is more likely to be blamed to my inability to properly interpret Microsoft's documentation...

Your help would be truly appreciated!

Answer 1

You should include resource scope when acquiring token in Azure AD V2.0. Any web-hosted resource that integrates with Azure AD has a resource identifier, or Application ID URI. For example, Microsoft Graph is https://graph.microsoft.com.

If you want to acquire access token for microsoft graph , and have permission to read mails of sign-in user , then token request would be :

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps

Please read this document for how OAuth 2.0 Authorization Code Flow works in Azure AD V2.0 .And click here for Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint