Azure AD - how to obtain v2 access token





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here










share|improve this question























  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24




















1















Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here










share|improve this question























  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24
















1












1








1








Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here










share|improve this question














Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here







azure-active-directory






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 3 at 11:31









bandreasbandreas

2671418




2671418













  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24





















  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24



















Are you including the proper scopes? stackoverflow.com/questions/45852984/…

– Marilee Turscak - MSFT
Jan 3 at 20:31





Are you including the proper scopes? stackoverflow.com/questions/45852984/…

– Marilee Turscak - MSFT
Jan 3 at 20:31













that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

– bandreas
Jan 4 at 14:24







that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

– bandreas
Jan 4 at 14:24














2 Answers
2






active

oldest

votes


















1














The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


And to parse access_token:
enter image description here






share|improve this answer

































    0














    Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
    Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
    Initially it was 'null' but I've changed it to '2' (as below).
    enter image description here



    According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



    Thanks for the lead on this issue.



    Regarding the way an app is registered, there is indeed a difference:
    - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
    - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
    If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






    share|improve this answer
























    • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

      – SunnySun
      Jan 9 at 7:20











    • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

      – SunnySun
      Jan 9 at 7:21












    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



    On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



    https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


    And to parse access_token:
    enter image description here






    share|improve this answer






























      1














      The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



      On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



      https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


      And to parse access_token:
      enter image description here






      share|improve this answer




























        1












        1








        1







        The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



        On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



        https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


        And to parse access_token:
        enter image description here






        share|improve this answer















        The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



        On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



        https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


        And to parse access_token:
        enter image description here







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 4 at 8:38

























        answered Jan 4 at 2:17









        SunnySunSunnySun

        1,523118




        1,523118

























            0














            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer
























            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21
















            0














            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer
























            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21














            0












            0








            0







            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer













            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 4 at 14:21









            bandreasbandreas

            2671418




            2671418













            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21



















            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21

















            As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

            – SunnySun
            Jan 9 at 7:20





            As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

            – SunnySun
            Jan 9 at 7:20













            However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

            – SunnySun
            Jan 9 at 7:21





            However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

            – SunnySun
            Jan 9 at 7:21


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

            SQL update select statement

            WPF add header to Image with URL pettitions [duplicate]