Is the accessToken returned from a call to acquireTokenSilent using MSAL always supposed to be a JWT? What if it isn't?

Question

I have a multi-tenant (AAD + personal Microsoft Accounts) single page application that uses the MSAL library to log in a user and then acquire tokens.

When I call acquireTokenSilent for a logged-in AAD user, the accessToken provided in the AuthResponse object is a valid JWT. Moreover, that JWT appears to properly contain all the scopes I requested in my acquireToken call.

When I do the same thing for a personal MSA account, the accessToken provided does not appear to be a valid JWT. It kind of looks like one, what with all it's alphanumerics, but it can't be decoded by any normal JWT decoder.

Should the accessToken for a personal MSA account be a valid JWT? If not, what is it?

Thanks!

Answer 1

While testing your client application with a personal account, you may find that the access token received by your client is an opaque string. This is because the resource being accessed has requested legacy MSA (Microsoft account) tickets that are encrypted and can't be understood by the client.

It's not an JWT token so it can't be decoded by any normal JWT decoder. But you can decode the ID token for logged-in user information.

See details here. (the Important tip)

Answer 2

An access token's format is only relevant to the API you call with the token. I've noticed tokens are different in some scenarios like the one you mentioned, with Graph API. If the token is not meant for you, you don't need to worry about the format. Just send it with the request :)