Id token in microsoft with ./Default scope
- i requested scopes openid, email separately and get an id token, in response of the oauth2.0 process and can decode it to retrieve user email
- While if i have openid scope added to the app , and request ./default scope, i don't get any id token
Why doesn't defaul with granted openid give an id token?
Initially, I registered one application and granted below API permissions in it:
Now, I ran below authorization request in browser with /.default scope to get code value:
https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?
client_id=appId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I requested tokens with /.default scope, I too got only access token in response without ID token:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://graph.microsoft.com/.default
code:<code_from_above_Step>
redirect_uri: https://jwt.ms
Note that,
openid,profile,offline_accessare OpenID Connect (OIDC) scopes.
- When you request /authorize endpoint with
./defaultscope, it aggregates the delegated permissions granted to the app for Microsoft Graph API or other APIs and does not trigger OpenID Connect (OIDC) behavior for authentication.- To get ID token, make sure to explicitly request
openidscope in the/authorizerequest.
In my case, I explicitly included openid and email in scopes of authorization request while getting code value:
https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?
client_id=appId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default openid email
&state=12345
When I requested tokens with ./default scope, I got response with both access token and ID token as below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://graph.microsoft.com/.default
code:<code_from_above_Step>
redirect_uri: https://jwt.ms
Response:
When I decoded this ID token in jwt.ms website, it has signed-in user's email as below:
In your case, make sure to explicitly include openid and email in scope parameter of authorization request. If authentication is done like that, you can get both tokens with /.default scope too.
Reference:
Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
- Getting "Unable to complete authentication for user due to looping logins" while making an api call through postman to azure
- azure ad difference between group based and role based authorization
- Powershell EntraID - Get display names of user groups
- Questions on microsoft azure portal app registration
- API Access to SharePoint Files/Lists via SharePoint REST, API & MSAL, using deamon/service account
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Id token in microsoft with ./Default scope
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- Assigning Roles to a Group and scoping that to an Admin Unit programatically in Entra
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com