We are using an Azure Web App and using the web app's Authentication to enforce Azure AD authentication. We have it somewhat working, but are trying to get an access token as we are using that to lock down API calls. Looking at the network calls, the authorize call to MSFT's endpoint only has "open_id code" for response types. Obviously, I can work on converting the response's code to an access token, but I should be able to get an access token in the callback as well.
I have checked that oauth2AllowImplicitFlow is set to true on the manifest, but that's about all I can find.
Any idea how to get "token" added to the response_type list?
open_id
: This is a scope, not a response type. You probably mean id_token
code
: Means that the app service is doing the Authorization Code flow. It uses the returned code to exchange it for the actual access token.
As far as I understand, you are using built in AppService authentication. You probably don't need to change how AppService authenticates you. There is a good tutorial for it, but basically all you need to do is to call GET /.auth/me
in your SPA to receive the tokens. GET /.auth/refresh
will refresh the tokens, if it is properly set up.
GET https://xxx.azurewebsites.net/.auth/me
[
{
"access_token": "...",
"expires_on": "2020-03-20T09:49:01.0000000Z",
"id_token": "ey...",
"provider_name": "aad",
"refresh_token": "...",
"user_claims": [
{
"typ": "foo",
"val": "bar"
},
...
],
"user_id": "..."
}
]
If you really want to try messing with the built in authentication, you can try changing this (taken from the "refresh" instructions mentioned above). You might need to do part of this anyways because of the refresh feature.
Azure Active Directory: In https://resources.azure.com, do the following steps: 1. At the top of the page, select Read/Write.
In the left browser, navigate to subscriptions > resourceGroups > > providers > Microsoft.Web > sites > > config > authsettings.
Click Edit.
Modify the following property. Replace with the Azure Active Directory application ID of the service you want to access.
"additionalLoginParams": ["response_type=code id_token", "resource=<app_id>"]