Reputation: 2225
Azure AD ADAL Implicit flow clarification
Wonder if someone can clarify this for me
I'm using ADAL js to log in an angular7 application via the implicit flow.
This works by sending the response_type=id_token
What happens with this response type is that the Authorization endpoint is hit and I should get back an ID token
However I appear to be getting a bearer token back, Azure microsoft login redirects me to http://localhost:4200/#access_token=xxxxxxxx&token_type=Bearer
What I was expecting was this token returned would be an ID Token not a bearer token, it does behave correctly like a Bearer token when I call the back end APIs.
ADAL.js doesn't appear to let me request "id_token token", which is the following:
I'm sorry I started reading the spec as it's confused my understanding of an application that's working, but i'd certainly appreciate if someone could shed a little light on what azure actually does with it's implicit flow, it only mentions id_token in the docs and make no reference to 'id_token token' response type
if anything, Azure AD appears to be more inline with reponse_type=token
tnx in advance, Brian
Upvotes: 1
Views: 1683
Answers (1)
Reputation: 9684
Azure AD V2.0 Endpoint
Microsoft Docs: v2.0 Protocols - SPAs using the implicit flow
It clearly mentions that for OpenId Connect,
- request must include
response_type=id_token(which you're already sending) scope=openidwhich was probably missing and got resolved after implementing the flow using MSAL library (as described by @brianbruff in comments).- Also, Allow Implicit Flow should be enabled for App registration.
Sample request from docs
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910
Azure AD V1.0 Endpoint
Microsoft Docs: Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)
Even here, documentation clearly says that id_token can be obtained when using OpenID Connect.
I must say though, that I am not completely sure on recommended/correct implementation to get id_token in case of implicit grant flow with v1.0 yet. (At least @brianbruff is able to use v2.0 and resolve his problem.)
I see that another Microsoft Docs link for OpenID connect with v1.0 (but not Implicit grant flow) mentions the usage of scope=openid. Although, right at the bottom of this page I see open issues where users contradict the documentation in some way and have given feedback specifically for Implicit Grant flow.
Upvotes: 2
Related Questions
- OAuth authorization flow for private API with Microsoft AD
- OpenId Connect Authentication & Azure AD Scopes Confusion
- Implicit Flow is not reacting properly in Azure AD
- Client Credentials flow with AAD B2C
- Understanding Microsoft Azure AD On-Behalf-Of (OBO) flow
- Azure AD reply URLS and Client Credential Grant flow
- Problems with Azure AD response with OAuth implicit flow
- Understanding Oath 2.0 Autorization Code Flow
- Understanding Azure B2C Auth flow - Oauth 2.0 and openID connect
- Azure AD client credentials flow permission grants