Azure AD - how to obtain v2 access token

蹲街弑〆低调 提交于 2021-02-19 02:42:05

问题


Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint. The authorization endpoint I am using looks like this:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123

Yet, it seems that I get a 'v1' access token. What am I doing wrong?


回答1:


The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.

On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123

And to parse access_token:




回答2:


Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered. Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest. Initially it was 'null' but I've changed it to '2' (as below).

According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.

Thanks for the lead on this issue.

Regarding the way an app is registered, there is indeed a difference: - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null' - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2' If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.



来源:https://stackoverflow.com/questions/54021452/azure-ad-how-to-obtain-v2-access-token

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!