Reputation: 609
Azure access_token contains info that I thought would be in the id_token, and vice-versa
When requesting a token and id_token from Azure using the implicit grant flow using a request like
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=token%20id_token
&redirect_uri=http%3A%2F%2Flocalhost
&scope=openid%20user.read
&response_mode=fragment
&state=12345
&nonce=678910
I'm successfully getting a response back with an "access_token", and an "id_token".
From what I've read, when decoding the "id_token" I should see information about the user (like name, email, picture, etc), and the "access_token" (should not be decoded) is what should be used to use as the "Bearer" token in the "Authorization" header.
When I view the token details with https://jwt.ms the "access_token" is the one with the user details, and the "id_token" has none.
When I try to access my API with the "access_token", it doesn't allow, but if I access it with the "id_token" it does.
This seems contradictory to the documentation so I'm wondering if someone can clarify for me?
Upvotes: 2
Views: 699
Answers (2)
Reputation: 19921
Depending on how the authorization server is configured, the returned id-token might not contain that many user claims.
But how will the client get the missing information?
The client can then do a background request to the UserInfo endpoint to retrieve the additional claims and user information. by doing it in this way, the id-token size is reduced.
Upvotes: 2
Reputation: 12322
You are right - the ID token is the one which gives your app information about the authenticated user, the access token is the one that you should use to access MS APIs. That said, please note the following.
When I view the token details with https://jwt.ms the "access_token" is the one with the user details, and the "id_token" has none.
What do you mean by "user details"? Usually the access token will contain some details about the user, which the APIs would need to perform proper authorization. Very often it will be the sub claim, but there might be some other claims as well. Note also that by default the ID token doesn't carry much information about the user either. You have to request other openID scopes, like profile or email to get more information about the user in the ID token. Here's the documentation of what claims you can find in the ID token, and which scopes should be requested to get these claims: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens.
When I try to access my API with the "access_token", it doesn't allow, but if I access it with the "id_token" it does.
What do you mean by "my API"? Is it an API you created from scratch, or some API you deployed using Microsoft tools? Are you sure that your API is configured to be accessible with an access token from Microsoft? Usually that token would be used to access MS APIs, not your own.
Upvotes: 2
Related Questions
- Why does Azure B2C return idp_access_token which is not a jwt?
- Why IdToken is a JWT in OIDC?
- Two identical Azure apps with different access_token format - one JWT, the other non-JWT
- Oauth2 Authentication Token contains OID of Azure Application ID rather than User ID
- Azure AD Bearer Token has wrong "aud" claims
- Access Token giving different AUD?
- Oauth 2.0 | SPA | How does id_token disguise as an access_token for accessing restricted web resources?
- Avoiding Personal information in the JWT Token issued by Azure AD
- What's this gibberish at the end of my JWT token?
- OAuth2 returning JWT in place of access_token