azureoauth-2.0oauthsingle-page-applicationazure-ad-msal
Azure AD Opaque token Validation
In Azure Ad, If you have (SPA & API) app and in backend you receive the access token (opaque not jwt) what do you do validate the (AUD or appId or clientId) of the token. You can verify the token by calling Graph API, or you don't need to verify it?
#Edit: I verify the token by calling (https://graph.microsoft.com/v1.0/me) and send the opaque token as an access token.
Solution
Note that: Azure Active Directory/Microsoft Entra ID do not support opaque tokens and introspection.
- According to this blog, there is no need to validate the opaque access tokens.
- You can just call the just call any user info endpoint.
https://graph.microsoft.com/v1.0/me
- Token introspection is not stored in a JWT format. The resource API can't interpret the opaque string that token introspection uses.
- Microsoft uses CAE, that is if as long as the token is valid, resource owner accepts it upon validation. Refer this MsDoc.
For example, if the application is calling Microsoft Graph API, then the events received from Microsoft Entra ID can be checked by Microsoft Graph.
- If the original authentication condition is changed then the user should reauthenticate. An error will be thrown by Microsoft Graph.
Reference:
oauth 2.0 - validate opaque access token by Azure AD - Stack Overflow by Amir Keibi