Menu
Does Azure Active Directory have an introspection endpoint (as defined in RFC7662) for verifying OpenID Connect (or OAuth) access tokens?
845
OpenID Connect is an authentication protocol built on top of OAuth 2.0 that can be used for secure user sign-in. Most identity providers that use this protocol are supported in Azure AD B2C.
Azure Active Directory (Azure AD) supports all OAuth 2.0 flows.
Azure Active Directory provides application endpoints for WS-Federation, SAML-P, and OAuth 2.0 protocols. Azure Active Directory supports security token formats SAML and JWT.
SAML authentication is commonly used with identity providers such as Active Directory Federation Services (AD FS) federated to Azure AD, so it's often used in enterprise applications. OpenID Connect is commonly used for apps that are purely in the cloud, such as mobile apps, websites, and web APIs.
No. You can check all the endpoints supported via the OpenID Provider Configuration for Azure Active Directory.
If you and idea or feedback about Azure AD, you can try to submit them from UserVoice:Azure Active Directory.
In particular you can vote on Introspection endpoint for Azure Active Directory Suggestion
182
Azure AD does not have an introspection endpoint.
Depending on what you're trying to achieve, however, it may still be possible without that endpoint.
Make a call to the userinfo_endpoint with the token to see if it still valid. e.g.
GET /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <access token>
If the call returns 200, the access token is valid. If it returns 401, it is not valid.
There are 2 types of access tokens: self-contained or placeholder (see RFC6749 Section 1.4 for more info). Azure AD's access tokens are JWTs and are self-contained.
You can obtain expiry info, AD app name, tenant info, user info and much more by decoding the access token.
The JWT payload of Azure AD's access tokens look like this:
{
"aud": "00000000-0000-0000-0000-000000000000",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1637179385,
"nbf": 1637179385,
"exp": 1637183923,
"acct": 0,
"acr": "1",
"aio": "<base64_string>",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "<app_registration_display_name>",
"appid": "<app_id>",
"appidacr": "1",
"family_name": "<user_family_name>",
"given_name": "<user_given_name>",
"idtyp": "user",
"ipaddr": "<user_ip>",
"name": "<user_name>",
"oid": "<uuid>",
"onprem_sid": "<on-premises_sid_of_user>",
"platf": "8",
"puid": "<hex_id>",
"rh": "<?>",
"scp": "email openid profile",
"signin_state": [
"kmsi"
],
"sub": "<user_subscriber_identifier>",
"tenant_region_scope": "NA",
"tid": "<tenant_id>",
"unique_name": "<user_email_or_unique_identifier>",
"upn": "<user_email>",
"uti": "<?>",
"ver": "1.0",
"wids": [
"<uuid>"
],
"xms_st": {
"sub": "<?>"
},
"xms_tcdt": <?>
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
