Azure AD - how to obtain v2 access token

Question

Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint. The authorization endpoint I am using looks like this:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123

Yet, it seems that I get a 'v1' access token. What am I doing wrong?

Answer 1

Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered. Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest. Initially it was 'null' but I've changed it to '2' (as below).

According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.

Thanks for the lead on this issue.

Regarding the way an app is registered, there is indeed a difference: - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null' - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2' If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.

Answer 2

The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.

On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123

And to parse access_token: