Do I use ID token or access token while calling a backend API?
From Azure AD documentation I understand that ID token is for authentication and access token is what you send to the backend API for authorization.
But I have several APIs which gives response based on the roles of the user who is logged in. I have configured the roles in the Service Principal under App roles as seen in the below picture.
And when the user authenticates, the ID token contains the roles as seen below.
Currently, I send the ID token in the Authorization header and then the backend decodes and validates the token and based on the roles, it sends appropriate response.
But I was not able to find any documentation to justify this solution. If there is a better/proper solution on how to implement this, please do guide me! Or is there a way to send roles from access token?
You have to make use of access token to call the backend API. Refer to this blog by Maria Paktiti.
If you want the roles to be present in access token, then try the steps below:
Create a Microsoft Entra ID application and added an app role:
Then assign the role to the user in your Enterprise application:
And grant API permissions:
Then generate access and ID tokens like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:api://ID/.default openid offline_access
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:Secret
When you decode the access token, the role is displayed:
Even in the ID token the role is displayed:
Hence, to have role-based authorization you can make use of access token.
- What is the purpose of authorization code in OAuth
- How to securely store access token and secret in Android?
- Laravel Passport Password Grant - Client authentication failed
- User.Identity.IsAuthenticated is false in a non-auth methods after successful login in asp.net core
- How to get access Token from Amadesu API on Python
- Limiting the scopes of an OAuth 2.0 flow
- GitLab OAuth access token validity
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- MSAL AcquireSilent gets always new token
- how to use keap api , making OAuth request without user authorization?
- TikTok oAuth API authorization code request always expired
- OAuth 1.0 and X API v2 with Scala and sttp
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- Using basic oauth to send a tweet
- Spring Boot redirection back to login page
- Unsuccessful using OAuth 2 access token to send emails via Gmail
- Logging in users with API built in laravel
- LinkedIn API: The token used in the OAuth request has been revoked
- How to get LinkedIn access token in iOS to call API?
- OAuth Client Credential Flow - Refresh Tokens
- AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
- ServiceStack JWT Refresh token uses Session identifier when used with OAuth AuthProvider
- EXPO AuthSession returns dismiss on Android device
- Threads Meta API/Auth Callback URLs
- Is storing an OAuth token in cookies bad practice?
- Firebase credentials as Python environment variables: Could not deserialize key data
- Azure Authenticatication Flow in a Desktop App (WinForms C#)
- Check OAuth Facebook token from iOS client on server/API
- Role based authorization using Keycloak and .NET core
- Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app