I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.
All /.auth
routes exist on the service, and I can log in. After successful login I can call /.auth/me
to get the access_token
. The response looks like:
[
{
"access_token": "AQABAAAAAA...Gni4EiQgAA",
"expires_on": "2017-02-28T19:17:08.0000000Z",
"id_token": JWT TOKEN
...
}
]
I then use the access_token
in an authorization bearer header to request data from the service.
"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"
My service returns the following error
IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.
The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.
According to this discussion the access_token
is intended to be used as a Bearer token. I have also read here that the access_token
is supposed to be base64 encoded but this does not appear to be the case.
Additionally, if I use the id_token
as a Bearer token, then authentication works as expected (the id_token
is in JWT format).
Edit
When I manually implement the Oauth flow as described here, I receive a proper JWT access_token
.
GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri
Followed by
POST
https://login.microsoftonline.com/common/oauth2/token
grant_type=authorization_code
client_id=client_id
code=CODE FROM ABOVE
redirect_uri=redirect_uri
resource=resource
client_secret=client_secret
RESPONSE
{
"access_token": JWT TOKEN,
"token_type": "Bearer",
...
}
A client application can request a managed identity app-only access token to access a given resource. The token is based on the managed identities for Azure resources service principal. As such, there's no need for the client to obtain an access token under its own service principal.
How to get Azure easy auth JWT access_token
According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type
is id_token
. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:
Note: If you do not specify the resource
for additionalLoginParams
, you would retrieve a access_token that is not in JSON Web Token (JWT) format.
I then use the access_token in an authorization bearer header to request data from the service.
For accessing your service, you could leverage AppServiceAuthSession
cookie or you could use Authorization:Bearer "{your-id-token}"
.
For more details, you could refer to this similar tutorial.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With