Extending OAuth2 MS AD access_token data

Question

I am missing some understanding of OAuth2 access_token hope someone can explain or guide me to what I am missing.

I am using Microsoft Azure AD as an authentication provider for my application, I used the returned id_token after successful authentication to extend it with some additional data custom to my application (to facilitate authorization).

I am doing this throw JWT.sign, I decode the data from id_token and add data then I sign it using a secret key saved at the server.

My question is, can I do the same for access_token? When I tried to do so, I get unauthorized. Am I doing something wrong? Or this is not possible? And why is this happening, I don't find any request made to MS to validated my new signed access_token.

Answer 1

You should never change tokens issued - this is not a correct thing to do. But your point about using domain specific claims is totally valid - all real world systems need these for their authorization.

OPTION 1

Some specialist providers can reach out at time of token issuance and contact your APIs, to get domain specific data to include in tokens. See this Curity article for how that works. I don't think Azure AD supports this though.

PRIVACY

It is best to avoid revealing sensitive data in readable tokens returned to internet clients. If you include name, email etc in ID tokens or access tokens this may be flagged up in PEN tests, since it is Personally Identifiable Information and revealing it can conflict with regulations such as GDPR.

Curity recommends protecting access tokens by issuing them in an opaque reference token format - via the phantom token pattern.

OPTION 2

An option that would work fir Azure AD is to adopt the following approaches:

• Look up extra domain specific claims in your API when an access token is first received, then cache results for further API requests with the same access token. See this Azure AD Code Sample class of mine for some code that builds a custom ClaimsPrincipal. Note that the API continues to validate the JWT on every request.

• If the UI needs extra domain specific claims then serve them from your API, which can return both OAuth User Info and domain specific data from its ClaimsPrincipal to the UI. See this API controller class for how that looks. Personally I always do this and never read ID tokens in UIs - which should also never read access tokens.

Answer 2

Applications interacting with Azure AD, receive ID tokens after authenticating the users. The applications use access tokens and refresh tokens while interacting with APIs.

• The id_token is a JSON Web Token (JWT) which has user profile attributes in the form of claims. The ID Token is consumed by the application and used to get user information like the user's name, email.

• The Access Token on the otherhand is a credential that can be used by an application to access an API. So if you need application to access api, there the access token is used and you may follow the suggestion steps provided by Tiny Wang

• Similar to id tokens, access tokens are also signed, but they are not encrypted. As per IETF OAuth (RFC 6749) standard specification , access token can have different formats and structures for each services whereas, id token should be JWT format.

• To validate an id_token or an access_token, your app has to validate both the token's signature and the claims. To validate access tokens, your app should also validate the issuer, the audience, and the signing tokens.

• So in production application, you should get id token by specifying “id_token+code” or “id_token+token” as response_type to verify whether the authentication is correctly succeeded. It means it uses the id_token for authentication and “code” to exchange access_token to access the resource for authorization.

• In short id_token is used to identify the authenticated user, and the access token is used to prove access rights to protected resources.

Refer this for the information regarding access token and id token.