CODEWITHSUNDEEP
azure-active-directoryopenid-connect
DavidA
DavidA

Reputation: 4184

Azure AD openid connect not including token_type in response

I am attempting to convert over from the old Azure AD OpenId Connect to use the new Azure AD v2.0 endpoint as documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc

When I attempt to request a token via the v2.0 token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token I get a response that only includes a 'token_id' field, and not a 'token_type', or any other fields. The library I am using to parse the response is nimbus.com library for openid and auth2. The OIDCTokenReponseParser throws an exception because the 'token_type' is missing from the response.

I have looked at the OpenID Connect Protocol specifications, and it says that a request to the token endpoint requires 'token_type', so it seems as though the response from the endpoint is invalid.

Has anyone run into this issue, and if so, how did you deal with it?

UPDATE 3/2/2018

My flow works with the old end point. I redirect the user here:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}

The user logs in, and they are redirected to my app, and code is provided via a query parameter.

I turn around and make this request:

https://login.microsoftonline.com/common/oauth2/token?code={code}&grant_type=authorization_code&client_secret={secret}

And I get response that looks like this.

{
    "token_type": "Bearer",
    "expires_in": "3599",
    "ext_expires_in": "0",
    "expires_on": "1520018953",
    "access_token": "{token}",
    "refresh_token": "{token}",
    "id_token": "{token}"
}

I try to handle v2.0 version the same way. I redirect the user to:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={id}&redirect_uri={uri}&scope=openid+profile+email&state={state}

And after they sign in, they are redirected back to my app with the 'code' as a query parameter.

I then send this request:

https://login.microsoftonline.com/common/oauth2/v2.0/token?code={code}&grant_type=authorization_code&client_secret={secret}&redirect_uri={uri}&client_id={id}

But this is the response I get:

{
"id_token":"{token}"
}

Upvotes: 2

Views: 980

Answers (1)

Philippe Signoret
Philippe Signoret

Reputation: 14336

The scopes you've requested can all be satisfied with the contents of the ID Token only. In your Auth Request, try including a scope that would indicate that you need an access token (e.g. https://graph.microsoft.com/User.Read), and the response will have the expected token_type and access_token.

Upvotes: 3

Related Questions