Search code examples
azure-active-directoryopenidadalsend-on-behalf-of

Is access token from ADAL.net different from openid

I am new to openid and aad.

I have an API which calls a downstream Graph api. I was following the example below, https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core

Everything worked fine.

But the front end is a third party app, which access my API.

They said they are using opened connect to authenticate the user. They are following Auth grant flow(https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code), so I expected then to have a JWTs access token. But when I try their access token, it says unauthorised. I tried to decode their access token using jwt.ms, but that did not work either.

Now my question is, is the access token got from ADAL.net authentication different from opened authentication? Is there a work around?

Any help really appreciated.

Thanks in advance.

Solution

  • To clarify your theoretical question.. ADAL.NET library can help you acquire tokens from Azure AD, compliant with OAuth 2.0 and OpenID connect protocols.

    More specific to your case.. if access token was acquired using the Auth code grant flow as you mention in question and with correct parameters, it should work for your API.

    Two things to check

    1. Make sure that access token was acquired specifying your API as resource and only then it would be valid for your API.

      Here’s a sample request for access token that also uses openid scope.. Get Access Tokens

      Value of resource should exactly match App ID URI for your web service. To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the your application's Settings page, then click Properties.

      GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e        // Your registered Application Id
&response_type=id_token+code
&redirect_uri=http%3A%2F%2Flocalhost%3a12345          // Your registered Redirect                 Uri, url encoded
&response_mode=form_post                              // `form_post' or 'fragment'
&scope=openid
&resource=https%3A%2F%2Fservice.contoso.com%2F        // The identifier of the protected resource (web API) that your application needs access to
&state=12345                                          // Any value, provided by your app
&nonce=678910                                         // Any value, provided by your app

    2. You might be getting ID token and Access token, make sure to use the right one