How SSO with OpenID and Azure AD works?
I try to understand how the integration we are using with OpenID works. I have read documents and different websites, but I feel that something escapes me related with SSO - I didn´t find so much information about this. If you could help me understand these doubts of concept, I would be very grateful.
Here's the context: WebApp-OpenID using SSO - Azure AD with no permissions or roles for users.
Please, correct me if I am missing something.
- User came from our system and reach the vendor website (RP).
- RP calls our Authorization endpoint to get the Authorization code - sending client_secret, client_id, application_id, redirect_uri, ... -
- User reach our Authorization endpoint and... QUESTION: Are the user asked for credentials or are implicit in SSO?
- Authorization code is granted and sent to the Redirect URI provided and registered.
- RP wants to get the Access Token + ID Token from this user. Therefore, calls our Token endpoint using Client ID + Client Secret + Authorization Code and so on. MY QUESTION IS HERE: To get the Access Token, it is not necessary to send information about the user in the request? Does the RP get it from the browser directly? What information does the RP get to be sent?
- Access Token + ID Token are sent to The Redirect URI registered.
Many Thanks
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
To generate the Authorization code, I used the below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientId
&response_type=code
&redirect_uri=RedirectUri
&response_mode=query
&scope=scope
&state=12345
While generating the code, I got the sign-in prompt like below:
The Authorization code generated successfully:
To generate the Access token and ID token I used the below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
grant_type:authorization_code
scope:scope
code:code
redirect_uri:RedirectUri
When I decoded the Access token, I am able to see the user information like below:
How SSO with OpenID and Azure AD works?
- Once the user calls Authorization endpoint, the user will be prompted sign-in screen to enter the credentials.
- If the consent is not given, then the user will get a screen like below to accept
- After successful sign-in the Authorization code will be successfully generated.
- By calling the token parameter the Access + ID token will be successfully generated and are sent to the Redirect URI.
If you are already logged in with a valid session, then there is no need to input credentials. SSO capabilities are stored at the browser's level while having an authenticated valid session.
Reference:
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages