How to generate Azure AD ID token using username and password from postman

Question

My team is using Azure AD to authenticate the user and is sending the ID token generated to all WEB API calls. I want to test the WEB API separately and for that, I want to generate the ID Token from Azure AD using the Postman. I have the username and password of the user. What is the best way to implement that?

I don't want to go for service principal as it doesn't satisfy our claims needs.

Answer 1

You can use below request to generate both the access_token from azure ad using something like postman, httpie or curl. Note that the access_token can also be generated from a single page application using msal-browser.

The scope MUST be set to a custom scope added in Azure AD as shown in below image. You can refer to this article for more details:

For our case we are generating the access_token manually through http so you also need to specify the username (email) and password of a user on azure ad. You may need to disable MFA on azure ad for you to use email and password alone for login.

Below is the request to send to azure ad to get the id token and access token.

POST /aaba3b90-a8f8-4806-9be3-e67f5e0b62e3/oauth2/v2.0/token HTTP/1.1
Content-Length: 259
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
User-Agent: HTTPie

grant_type=password&client_secret=ijf8Q%7EDv8LRd1EygiZu3TVuK31D_ahyw3LOBHaih&client_id=91a872c6-0d1e-4f66-9151-4a71bd5a807a&scope=api%3A%2F%2F91a872c6-0d1e-4f66-9151-4a71bd5a807a%2Fgilbertscope&username=rs%40gssenyonjogmail.onmicrosoft.com&password=mypassword

You can verify the tokens from https://jwt.ms . Look out for the audience (aud), issuer (iss) and version (ver).

If you're like me and you're connecting it to the web api using passport-azure-ad, you can refer to below code to setup your passport strategy. There is also another way to verify the azure ad access_token without using passport-azure-ad. Read this article to learn how, again, the scope must be specified to the custom scope added in Azure AD app registration.

import { BearerStrategy } from 'passport-azure-ad'

const options = {
    identityMetadata: 'https://login.microsoftonline.com/aaba3b90-a8f8-4806-9be3-e67f5e0b62e3/.well-known/openid-configuration', // for v1    
    clientID: '91a872c6-0d1e-4f66-9151-4a71bd5a807a',
    validateIssuer: true,
    issue: 'https://sts.windows.net/aaba3b90-a8f8-4806-9be3-e67f5e0b62e3/', // for v1
    isB2C: false,
    audience: 'api://91a872c6-0d1e-4f66-9151-4a71bd5a807a',
    loggingLevel: 'info',
    // this will allow us to get detailed error logs like why the token has failed to be verified by jwtVerify
    loggingNoPII: false,
};

const bearerStrategy = new BearerStrategy(options, 
    /**
     * @param {Record<string,any>} decodedAccessToken 
     * @param {*} done 
     */
    async (decodedAccessToken, done) => {
    try {
        console.log({ decodedAccessToken })
        console.log(decodedAccessToken)
        return done(null, decodedAccessToken);
    }
    catch (e) {
        done(e, false)
    }
});

I've read so many articles in my journey to setup azure ad on the web api, here are some that I consider very helpful:

• @juunas's comments on my stackoverflow answer
• https://oauth.net/id-tokens-vs-access-tokens/
• https://tonesandtones.github.io/azure-ad-and-the-unvalidatable-access-token/
• https://www.voitanos.io/blog/validating-azure-ad-generated-oauth-tokens/
• https://www.passportjs.org/packages/passport-azure-ad/

Answer 2

In this case you would need to setup the "Password Credentials" OAuth Grant type. Prior to Postman, Azure AD should be configured as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

Postman configuration to generate the Access Token is as shown in the screenshot: