I am using Azure AD B2C as my authentication.
We are currently building an SPA and have API Management as a backend API.
And I have access to API Management with an access token issued by B2C.
Here, we want to use user information in the SPA, so we are considering using the MsGraph API.
At this time, we also need an access token to access MsGraph. Can we use the same access token for MsGraph and APIM?
Can I use the same access token for MsGraph and APIM, or do I need to save both MsGraph and APIM access tokens?
If each access token is required, is a refresh token also required for each API?
You will need to get multiple tokens in AAD to access different resources. You can use a refresh token from one resource to request an access token for a second resource. I am guessing that you want to minimize access token refresh for multiple resources, so use the refresh token from one resource to get new access tokens from both.
https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
Related
I'm trying to have a user login using an Azure B2C custom policy, and then use the token that is passed to the redirect URI to make authorized calls to our APIs. I'm aware that the token given after logging in is an id token, but I haven't seen a way to exchange it for an access token.
Using the id token worked for Azure API management, but not in logic apps as it expects the issuer to be login.microsoftonline.com.
Is there a way that I can exchange the user's id token for an access token, or a better way to secure endpoints so that only logged-in B2C users can access them?
Azure AD B2C supports both the id token and access token where id token contains claims that you can use to identify users in your application and access token are used to identify the granted permissions to your APIs.
There is no way to exchange id token for an access token, but you can request for the tokens in the request by passing id_token+token in the response_type while authenticate the request.
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=xxxx
&response_type=id_token+token
&redirect_uri=https://www.jwt.ms
&response_mode=fragment
&scope=openid%20offline_access
&state=arbitrary_data_you_can_receive_in_the_response
&nonce=12345
I created a multi-tenant app on Azure Portal and sending request to get token with application's client Id. I am using the following URL to get token on Microsoft Azure AD
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Sending a get request with parameters client_id={clientId}&response_type=token&scope=user.read+openid+profile+offline_access
However it is returning an access_token on given call-back url
http://localhost:8082/my-callback-url#access_token=EwCIA8l6BAAU6k7%2bXVQzkGyMv7VHB/h4cHbJYRAAATb8xtkaxI5xsVkWM6etOevj7ADopBYP1/hj%2bUz%2bf1ZXH4lpykHkES1XBRBDNRDWwdqAA%2brO2tFlMygiuusVx1EJKvqeV0rPPaNDNX9azpWGzS45BN6WmXKcxzX623enNYJOdo%2bYyTtaMipFapvABOsjHve1nVwfq9zqpmcldnIhXBeGefdQsgqmBNjeAyAbWzifLNtdz6Ybxnbt8nMY5adb82Z8tsfddfDdjrqk%2bu%2b85%2bxKXO9Xop3wdRvrVC9FM46RniA6H3NUKjOMTJAsX4IQLjGjXM4eq9o95lmSzF3zgFOXI1rYwkDRVsFsLOgP8tx0occDcuVPQgMalXR6JREDZgAACIJRWLYJGUcWWAKPx26NmroNGG1xEkPB1kLeGk0Hf8324YZs2InsGvQBFUMU4XzGGNdj0s5rLYKK2ictDstHV1daM241F1M5FiaX1qCgdRXneR9uPzUsSIBOzPJtT1dD4k%2bDxp6Nr4hEnDPlymp5X0SR4v5vUA3aRhnsvmEzBVQDKR7cFvT7NSqVHSr/tTv/epdx81qgJcd6S6xF8oaMc7mn76jgU4YBn8jXYnTfGhUvhNZ8RJyyl71AqZrGr7JS2kStselZUgjavLqc9DdQD9cwPSWu1ketKmGgCjt6lVB3nlaw8Wxq%2by2/YhPznTRFD2wj/vzDOdTzCcZ9mJV%2bKMGcXYQqBiGE0MF8%2bWA1EKSXniT5UiegTfJkvnsgtx6G6sdV0rzFM7Xa9d/dHNDfyV5oGedZtJXE1WCUrEIUZZm/HNhhQyh0WSG0gWm3vOY7NAs13vey9lcIQ6Fllu6W/Ty3HE4llFp/9a3lNcujmlxsCASFUOX6R54xPJMt1ipF5lh5uyZCPoUda46UsrCDnNRg0dhuoSVwJMDHzDbs4NXhX4nhTOze/9koz6p5Ao4DtJ20LqmcylZDoLxUhXIU5vvnBYpiHwanBt2E/rG%2bqVEQbRy/v9fhi0chY0XPzldIm/Lz2l0%2b0MpJ/4l53f9YTRLdEMD8X8Umi35ZvpK9arAqgdRkx4/oWG9m8sxOMY2eASetiAJaU8yjtETgHpBGJTXbDVDpNA1s5NGc9QC%2brcSnGDV0BKIDYxBISR8TiJQVUaPqbNU1Mj3kGyQFnfS0jS83VGVfFCZ4cHkhDq/awLh2JrR0Ag%3d%3d&token_type=bearer&expires_in=3600&scope=User.Read%20openid%20profile
How can I validate this access token? or how can I get a JWT token instead?
Your scopes are user.read+openid+profile+offline_access.
That first one is a Microsoft Graph API scope.
It's actually short-hand for https://graph.microsoft.com/user.read.
So you will get an access token that is meant for Microsoft Graph API.
The other scopes you defined affect the id token (openid, profile) or get you a refresh token (offline_access).
This means you cannot and should not validate the token.
Only Microsoft Graph API should be validating this token, since the token is meant for it.
If you want an access token for your API, you need to use a scope defined in the API's app registration (Expose an API section).
I already made the authentication flow with the Microsoft Graph/Azure AD authentication. Once I get the authenticated user's token I store them in his cookies. To validate the user's token I call the Microsft Graph API resource /me. This does not seem a good approach because basically everytime time a client does a request to my API, he is basically doing 2 requests because my API requests Azure AD for validation.
Is this a good flow?
No, it isn't.
Your front-end should acquire an access token for your API, which the API can verify using its digital signature.
The token will contain some info about the user as well as the app that acquired it.
The way in which the front-end acquires the token depends on the type of application.
Front-end single page apps use implicit grant flow for example.
Do note that you have to specifically ask for an access token for your API.
As long as your back-end is then configured with standard JWT Bearer authentication,
all is handled.
This is done by specifying the authority as your Azure AD tenant (or the common endpoint if it's multi-tenant),
and the standard bits for JWT authentication should download the public keys from Azure AD's metadata endpoint, which it can then use to verify validity of any access token it receives.
You do not have to validate tokens for an api that's not yours (issued to your AppId Uri).
For example, Graph validates the tokens that are sent to it (issued for "https://graph.microsoft.com).
If you build and register in Azure AD an Api of your own (say AppIdUri="https://myapi.mydomain.com"), your clients will request and receive access tokens with aud claim set to "https://myapi.mydomain.com".
The clients themselves don't need to validate the access token issued for your Api But your Api, when it receives those access tokens, has to validate them. The validations, among other things will validate the access token was issued to "https://myapi.mydomain.com".
Try out this sample, to get a good understanding around concepts of token validation.
I am trying to revoke a refresh token so that it cannot be used any further to obtain more access tokens via oauth2.
I am using simple-oauth2 nodejs library that wraps the requests to obtain access and refresh tokens. Once I have these tokens, I can use the access token to make graph.microsoft.com calls. When the token expires, I can obtain a new one. This library has a .revoke() method that takes a revoke url. I specify this as http://login.microsoft.com/common/oauth2/v2.0/logout
but the refresh token is still valid.
According to https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
The Azure Active Directory: "An administrator can apply conditional access policies which restrict access to the resource the user is trying to access."
Is it possible to revoke using oauth2 request? I see this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
which shows the oauth2 logout url /common/oauth2/v2.0/logout.
Azure Active Directory does not support or provide an endpoint for an application to revoke the refresh tokens. The recommended approach is to clear the token cache on logout to prevent the re-use of the token.
A similar post is here: Revoke a refresh token on Azure AD B2C
You can read more about the policies on token lifetimes of refresh tokens here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.