Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is "aio" in Azure JWT token? [duplicate]

Tags:

oauth-2.0

jwt

azure-active-directory

payload

I have an Azure AD application and have generated two client secrets. I can get a JWT access token using each secret (via client_credentials grant) but can I also see from the JWT token via which client secret it was requested?

If I inspect the JWT tokens I get back, some payload fields are always the same (aud, iss, etc) and some are always different (iat, nbf, aio, etc) but there is no info as far as I can tell that identifies the client secret that was used.

Here's an example payload:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/e402c5fb-58e9-48c3-b567-741c4cef0b96/",
  "iat": 1516886787,
  "nbf": 1516886787,
  "exp": 1516890687,
  "aio": "Y2NgYEjJqF0stqv73u41a6ZmxPEvBgA=",
  "app_displayname": "TravelAgencies",
  "appid": "ee8cf944-bf6f-42cf-ae30-6060412416a1",
  "appidacr": "2",
  "e_exp": 262800,
  "idp": "https://sts.windows.net/e402c5fb-58e9-48c3-b567-741c4cef0b96/",
  "oid": "bc430bc6-d9fb-4fa0-87e5-8b8803fcb222",
  "sub": "bc430bc6-d9fb-4fa0-87e5-8b8803fcb222",
  "tid": "e402c5fb-58e9-48c3-b567-741c4cef0b96",
  "uti": "1TgusyfGtECjErT0Kv4PAA",
  "ver": "1.0"
}

On a related note: what are the aio, e_exp and uti fields for? I can't find any information on them.

like image 805
Ronald Wildenberg Avatar asked Jan 25 '18 14:01

Ronald Wildenberg

People also ask

What is OID in Azure?

oid. The object identifier for the user in Azure AD. This value is the immutable and non-reusable identifier of the user. Use this value, not email, as a unique identifier for users; email addresses can change. If you use the Azure AD Graph API in your app, object ID is that value used to query profile information.

Are JWT tokens reusable?

The token is still valid and can be used. What if I need to ensure that the token cannot be used ever again? This is why keeping JWT expiry values to a small value is important. And this is why ensuring that your JWTs don't get stolen is even more important.

What is wids claim?

The wids claim contains the list of directory role template object ids the user is a member of. Role template object ids are immutable and consistent across the system, so you can hardcode your check against them. There is a role to template id mapping table here.

What is the difference between access token and ID token in Azure?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

2 Answers

You can't see through which client secret has the token been issued. What is the reason for asking through which secret it was?

Regarding provided claims - you can check here and here what the different claims mean. For exampe the iat, nbf are just dates - when the token was issued and the validity begin time.

For some of the claims, like aio there is no documentation. But there is no claim to show you which secret was used.

like image 73
astaykov Avatar answered Sep 17 '22 09:09

astaykov

From https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

aio An internal claim used by Azure AD to record data for token reuse. Should be ignored.

like image 31
Anders Revsgaard Avatar answered Sep 17 '22 09:09

Anders Revsgaard
Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!