Search code examples
azureoauth-2.0oauthazure-active-directory

oauth token does not contain information about roles or scope

I have created app registration in AD, created client secret and exposed the API. I have created App Role and added permissions (additional permissions to the default graph user read). I also have added a scope.

When I do the request

curl --location --request POST 'https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<application id>' \
--data-urlencode 'client_secret=<secret>' \
--data-urlencode 'scope=api://<application id>/.default' \
--data-urlencode 'grant_type=client_credentials'

I get the response containing access_token. However when I decode the token it does not contain any roles, scopes or anything

{
"aud": "api://<application id>",
"iss": "https://sts.windows.net/<tenant id>/",
"iat": 1672241639,
"nbf": 1672241639,
"exp": 1672245539,
"aio": "<>",
"appid": "<application id>",
"appidacr": "1",
"idp": "https://sts.windows.net/<tenant id>/",
"oid": "<>",
"rh": "<>.",
"sub": "<>",
"tid": "<tenant id>",
"uti": "<>",
"ver": "1.0"
}

What is missing?

/oauth2/token returns similar response

{
    "aud": "<resource id>",
    "iss": "https://sts.windows.net/<tenant id>/",
    "iat": 1672241960,
    "nbf": 1672241960,
    "exp": 1672245860,
    "aio": "<>",
    "appid": "<application id>",
    "appidacr": "1",
    "idp": "https://sts.windows.net/<tenant id>/",
    "oid": "<>",
    "rh": "<>",
    "sub": "<>",
    "tenant_region_scope": "EU",
    "tid": "<tenant id>",
    "uti": "<>",
    "ver": "1.0",
    "xms_tdbr": "EU"
}
Solution

  • I tried to reproduce the same in my environment via Postman and got below results:

    I registered one Azure AD application and created App role named READER.ALL like below:

    enter image description here

    Now I exposed one API named ReaderScope.ALL same as you like below:

    enter image description here

    Now I generated the token using Client credentials flow via Postman with below parameters:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id: <appID>
client_secret: <secret>
scope: api://<appID>/.default
grant_type:client_credentials

    Response:

    enter image description here

    When I decoded the token, I did not find roles claim same as you like below:

    enter image description here

    To get roles claim in the token, you need to add API permission like below:

    enter image description here

    Now, select Application permissions and add the App role like below:

    enter image description here

    Make sure to grant admin consent to the added permission like below:

    enter image description here

    When I generated the token again now and decoded it, I got roles claim successfully like below:

    enter image description here

    You will get only Application permissions in roles claim while using client credentials flow.

    To get Delegated permissions in scp claim, you need to use interactive flows like authorization code flow etc.