I am writing an application that implements SSO using Oatuh2. Azure AD is the IDP.
After submitting a post request to the Azure AD Token Endpoint, the received token contains the Azure AD Application ID rather than the User ID. Post https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token
The contents of the post request are as follows:
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Charset': 'UTF-8'}
data = {"grant_type": "client_credentials",
"client_id": self.client_id,
"client_secret": '****',
"redirect_uri": 'https://login.microsoftonline.com/common/oauth2/nativeclient',
"code": self.code,
"scope": 'api://{applicationID}/.default openid email'
}
I am assuming that either an endpoint is being used in correctly or that an ID being used in the post request is incorrect, but they all look correct to me.
You are using the client credentials grant type which is meant for identifying applications, not users. You should be using the authorization_code grant type to exchange the code for the user's tokens.
With client credentials, it is correct that you are getting a token with the application's id, it's how it is supposed to work.