CODEWITHSUNDEEP
azure-active-directory
Allan Xu
Allan Xu

Reputation: 9288

Azure AD OAuth flow returns me “id token”. I need ‘access token’ to be able to get a list of groups

In my Azure AD application’s manifest, I have "groupMembershipClaims": "SecurityGroup" However, the JWT tokens that I get through Azure AD OAuth2 authentication does not include “groups” or “hasGroups” fields.

After some research, I found this very brief answer: Azure ad group membership claims

It seems that after the OAuth2 authentication, I am getting an id token and I need to figure out a way to get an access token

How can I have Azure AD OAuth2 authentication send me an ‘access token’?

Update

Thank you @Philippe Signoret for taking a look at this.

The AAD application is created by following this steps:

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

The problem can be reporduced with this implicit flow URL: 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={app id}&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2f&scope=openid&state=12345&nonce=678910

Here is how groupMembershipClaims is setup:

enter image description here

The JWT that is missing groups looks like this:

{
    "aud": "00000003-0000-0000-c000-000000000000",
    "iss": "https://sts.windows.net/XXXXXXXXXX--XXXXXXXXXX/",
    "iat": XXXXXXXXXX,
    "nbf": XXXXXXXXXX,
    "exp": XXXXXXXXXX,
    "acct": 1,
    "acr": "1",
    "aio": "XXXXXXXXXX",
    "altsecid": "5::XXXXXXXXXX",
    "amr": [
        "pwd"
    ],
    "app_displayname": "XXXXXXXXXX",
    "appid": "XXXXXXXXXX",
    "appidacr": "0",
    "email": "XXXXXXXXXX",
    "idp": "https://sts.windows.net/XXXXXXXXXX/",
    "ipaddr": "XXXXXXXXXX",
    "name": "XXXXXXXXXX",
    "oid": "XXXXXXXXXX",
    "platf": "3",
    "puid": "XXXXXXXXXX",
    "scp": "Directory.Read.All User.Read profile openid email",
    "signin_state": [
        "kmsi"
    ],
    "sub": "XXXXXXXXXX",
    "tid": "XXXXXXXXXX",
    "unique_name": "XXXXXXXXXX",
    "uti": "XXXXXXXXXX",
    "ver": "1.0",
    "xms_st": {
        "sub": "XXXXXXXXXX"
    },
    "xms_tcdt": XXXXXXXXXX
}

Upvotes: 1

Views: 1665

Answers (1)

RrR-
RrR-

Reputation: 1410

For most Identity Providers, sending the response_type paramater as id_token token instead of token returns both the acess token and the id token from the token endpoint. I suggest you try the same in Azure as well.

Upvotes: 1

Related Questions