Reputation: 2466
Why does Azure B2C return idp_access_token which is not a jwt?
I have setup Azure B2C to return a claim called idp_access_token and according to this Microsoft documentation
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview
it should be a valid JWT. However it is not a valid JWT.
Why is that?
"exp": 1588112929,
"nbf": 1588109329,
"ver": "1.0",
"iss": "https://xxx.b2clogin.com/903e0c59-0e1d-4769-8a57-0caba1f561da/v2.0/",
"sub": "f11eaa2e-0bad-400a-864f-57f9daa70720",
"aud": "8ab24fa8-a5f2-4f7d-a1ad-31f21d7fb627",
"nonce": "defaultNonce",
"iat": 1588109329,
"auth_time": 1588109329,
"idp_access_token": "PAQABAAAAAAAm-06blBE1TpVMil8KPQ41KrxufgbIw-NxMJGBuFrfjebtTsSNCwe_5MK208-HdCSx2GkqvSr7LV7ZZiKD9p4z7Zl-NawHeA4DJiPxlnmZB43ObtstvlmwyDoVzTFxSjdOkGvCv5_7A5JuGqct7VBbp1US7HmC2YeS9xVO6HlNiYWlNu90HQwk8A05fnzYwfhcshWQ5JvblgtbkwP6dlK4r_PM9erowtW0LuWkEeucdbU_DfnnM75nFbL4Bo4o_-j5nReC7wBpx_dhVC5gDItLuvuQUruju-3ANDSNsSzlNrp6RCv1HOZtMohVbRB6GYDYS0222u7_hf4by-bQca2SIxWvSZ1UKCPUmnQ0Ji4lYCrkCPlKTOPaUaf1D6yZHbWJtqYkOBY-8uuf7961GyDceW_szZhX80AUkEmK5t9yMd7jB38nV5lvHI13roMzr8N-jWdPSOcLCLxSWIvNG7Inp_5wGM2yYSCTjWUnCTMR8-UkXCETUIU16bw2FkTJc1K_eZhAYw2UyQIzYejd-9gQhZrHyTE0ogApg-Qm4bYnW0XCHGe4MZjDKNuVu49OEGTOxUrn7g0Zh9dn6k6FNma7O02ERUItq2bmpYSyqsRxIase4-9tn_zEhoV-lT1mdIHCDXPLwsH...some more comes here
...
More background information:
- I'm using "Sign up and sign in v2 (Preview)" user flow
- As identity provider of the flow I have selected an Open ID Connect IDP configured to use the Azure AD of the same Azure subscription in which the Azure AD B2C resided.
Upvotes: 2
Views: 1542
Answers (3)
Reputation: 21
In order to get valid "idp_access_token", you have to set "v2.0" in metaurl of OpenId Identity Provider Configurations.
As you can not edit metaurl for previous identity provider, create new one with "v2.0" in metaurl.
Your metaurl will be look like this,
Please replace "tenant-name" with your tenant.
Upvotes: 2
Reputation: 21
I believe, this functionality of retrieving external IDP (identity provider) access_token would be extremely useful to relying parties(RP), if they (RP) want to then talk directly to the (external) IDP by providing this ( idp_access_token) token a bearer to do some operations.
Several Identity Brokers provide this feature; for example:
- Keycloak : https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens
- Auth0 - https://auth0.com/docs/connections/calling-an-external-idp-api
I have some experience working with Keycloak and some of the Relying Parties I work with do use this feature in Keycloak -- to pull in some additional information about the authenticated user.
Well, there are some settings and configurations and permissions need to be done both at the IDP broker side (first leg) and at the second leg as well. I guess, that is beyond the scope of the question asked.
Upvotes: 0
Reputation: 11315
Because this is the AAD blob used to hit the user info endpoint. You get this as an access token if you don’t specify a resource (v1 AAD endpoint), or scope (v2 endpoint) as part of the auth request.
Upvotes: 2
Related Questions
- Token returned by B2C is not decoded by JWT.MS
- How can I use idp_access_token returned by azure b2c service
- Azure AD B2C - Token validation does not work
- Azure B2C Invalid Jwt Signiture
- Where's the Key for My Azure AD B2C Token?
- Unable to have Azure AD B2C issue a token and redirect it to https://jwt.ms
- Web sign-in with OpenID Connect in Azure Active Directory B2C gives id_token instead of access_token
- Why does Azure AD B2C redirect with a code instead of id_token?
- Azure AD B2C Graph API 401 Unauthorized
- Azure AD B2C: AcquireTokenSilentAsync returns empty access token