Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
It seems that microsoft will not issue JWT access tokens for personal accounts.
In Azure AD I created an app registration with the type 'Personal Microsoft accounts only'.
My SPA uses that app registration and I can authenticate against it.
After authenticating my SPA receives an id token and an access token.
But the access token does not look like a JsonWebToken.
AFAIK access tokens start always with the characters 'eyJ', but the issued token from Azure AD starts with 'EwC' and when I debug the access token on jwt.ms the console tells me 'Invalid token specified: Unexpected token'.
But this is only the case if I choose the account type 'Personal Microsoft accounts only'.
It works if I'm using the type 'Accounts in this organizational directory only'.
When I send the invalid token to my REST Api I get a 401 response with the header WWW-Authenticate: Bearer error="invalid_token".
The api is configured to accept JWT Bearer tokens and uses the same Azure AD app registration.
Calling the OAuth userinfo enpoint with the issued token works fine.
It's worth mentioning that I use Azure with my personal Microsoft Account.
Is there a way to get JWT access tokens with personal Microsoft accounts?
Reading the friendly manual (RTFM) has answered my question.
I had to create two app registrations in the azure portal.
One for my SPA and one for my REST API and then give my SPA permissions to access the REST API.
It is well described here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
When sending the initial authentication request the scope must include the permission that was granted to my REST API.
The response will contain the JWT access token that is issued for the REST API.
- Chrome identity launchWebAuthFlow only opens empty callback page
- Limiting the scopes of an OAuth 2.0 flow
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- Why do i need to specify redirect_uri if i am authenticating from server side?
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Authentication Problems using Google's ARCore API
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?