How SSO with OpenID and Azure AD works?
I try to understand how the integration we are using with OpenID works. I have read documents and different websites, but I feel that something escapes me related with SSO - I didn´t find so much information about this. If you could help me understand these doubts of concept, I would be very grateful.
Here's the context: WebApp-OpenID using SSO - Azure AD with no permissions or roles for users.
Please, correct me if I am missing something.
- User came from our system and reach the vendor website (RP).
- RP calls our Authorization endpoint to get the Authorization code - sending client_secret, client_id, application_id, redirect_uri, ... -
- User reach our Authorization endpoint and... QUESTION: Are the user asked for credentials or are implicit in SSO?
- Authorization code is granted and sent to the Redirect URI provided and registered.
- RP wants to get the Access Token + ID Token from this user. Therefore, calls our Token endpoint using Client ID + Client Secret + Authorization Code and so on. MY QUESTION IS HERE: To get the Access Token, it is not necessary to send information about the user in the request? Does the RP get it from the browser directly? What information does the RP get to be sent?
- Access Token + ID Token are sent to The Redirect URI registered.
Many Thanks
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
To generate the Authorization code, I used the below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientId
&response_type=code
&redirect_uri=RedirectUri
&response_mode=query
&scope=scope
&state=12345
While generating the code, I got the sign-in prompt like below:
The Authorization code generated successfully:
To generate the Access token and ID token I used the below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
grant_type:authorization_code
scope:scope
code:code
redirect_uri:RedirectUri
When I decoded the Access token, I am able to see the user information like below:
How SSO with OpenID and Azure AD works?
- Once the user calls Authorization endpoint, the user will be prompted sign-in screen to enter the credentials.
- If the consent is not given, then the user will get a screen like below to accept
- After successful sign-in the Authorization code will be successfully generated.
- By calling the token parameter the Access + ID token will be successfully generated and are sent to the Redirect URI.
If you are already logged in with a valid session, then there is no need to input credentials. SSO capabilities are stored at the browser's level while having an authenticated valid session.
Reference:
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search