Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get Azure easy auth JWT access_token

I have an Azure App Service on which I have enabled Authentication/Authorization and configured AD as the authentication provider.

All /.auth routes exist on the service, and I can log in. After successful login I can call /.auth/me to get the access_token. The response looks like:

[
  {
     "access_token": "AQABAAAAAA...Gni4EiQgAA",
     "expires_on": "2017-02-28T19:17:08.0000000Z",
     "id_token": JWT TOKEN
     ...
  }
]

I then use the access_token in an authorization bearer header to request data from the service.

"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"

My service returns the following error

IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'.

The string needs to be in compact JSON format, which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL, Base64UrlEncodedSignature>'.

According to this discussion the access_token is intended to be used as a Bearer token. I have also read here that the access_token is supposed to be base64 encoded but this does not appear to be the case.

Additionally, if I use the id_token as a Bearer token, then authentication works as expected (the id_token is in JWT format).

Edit

When I manually implement the Oauth flow as described here, I receive a proper JWT access_token.

GET
https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri

Followed by

POST
https://login.microsoftonline.com/common/oauth2/token
  grant_type=authorization_code
  client_id=client_id
  code=CODE FROM ABOVE
  redirect_uri=redirect_uri
  resource=resource
  client_secret=client_secret

RESPONSE
{
  "access_token": JWT TOKEN,
  "token_type": "Bearer",
  ...
}
like image 455
David Farr Avatar asked Feb 28 '17 20:02

David Farr


People also ask

How do I get access token for managed identity?

A client application can request a managed identity app-only access token to access a given resource. The token is based on the managed identities for Azure resources service principal. As such, there's no need for the client to obtain an access token under its own service principal.


1 Answers

How to get Azure easy auth JWT access_token

According to your description, I enabled Authentication/Authorization and configured AD as the authentication provider to test this issue. As I known, when you enable Authentication/Authorization on Azure Portal, then the default response_type is id_token. You need to log into https://manage.windowsazure.com and update App Service Auth Configuration as follows:

enter image description here

Note: If you do not specify the resource for additionalLoginParams, you would retrieve a access_token that is not in JSON Web Token (JWT) format.

I then use the access_token in an authorization bearer header to request data from the service.

For accessing your service, you could leverage AppServiceAuthSession cookie or you could use Authorization:Bearer "{your-id-token}".

For more details, you could refer to this similar tutorial.

like image 184
Bruce Chen Avatar answered Oct 17 '22 01:10

Bruce Chen