Azure AD - how to obtain v2 access token





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here






azure-active-directory







share|improve this question























  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24




















1















Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here






azure-active-directory







share|improve this question























  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24
















1












1








1








Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here






azure-active-directory







share|improve this question














Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123


Yet, it seems that I get a 'v1' access token.
What am I doing wrong?



enter image description here






azure-active-directory




azure-active-directory






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 3 at 11:31









bandreasbandreas

2671418




2671418













  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24





















  • Are you including the proper scopes? stackoverflow.com/questions/45852984/…

    – Marilee Turscak - MSFT
    Jan 3 at 20:31











  • that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

    – bandreas
    Jan 4 at 14:24



















Are you including the proper scopes? stackoverflow.com/questions/45852984/…

– Marilee Turscak - MSFT
Jan 3 at 20:31





Are you including the proper scopes? stackoverflow.com/questions/45852984/…

– Marilee Turscak - MSFT
Jan 3 at 20:31













that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

– bandreas
Jan 4 at 14:24







that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…

– bandreas
Jan 4 at 14:24














2 Answers
2






active

oldest

votes


















1














The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


And to parse access_token:
enter image description here






share|improve this answer

































    0














    Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
    Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
    Initially it was 'null' but I've changed it to '2' (as below).
    enter image description here



    According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



    Thanks for the lead on this issue.



    Regarding the way an app is registered, there is indeed a difference:
    - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
    - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
    If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






    share|improve this answer
























    • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

      – SunnySun
      Jan 9 at 7:20











    • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

      – SunnySun
      Jan 9 at 7:21












    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



    On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



    https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


    And to parse access_token:
    enter image description here






    share|improve this answer






























      1














      The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



      On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



      https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


      And to parse access_token:
      enter image description here






      share|improve this answer




























        1












        1








        1







        The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



        On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



        https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


        And to parse access_token:
        enter image description here






        share|improve this answer















        The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.



        On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.



        https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123


        And to parse access_token:
        enter image description here







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 4 at 8:38

























        answered Jan 4 at 2:17









        SunnySunSunnySun

        1,523118




        1,523118

























            0














            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer
























            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21
















            0














            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer
























            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21














            0












            0








            0







            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.






            share|improve this answer













            Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
            Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
            Initially it was 'null' but I've changed it to '2' (as below).
            enter image description here



            According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.



            Thanks for the lead on this issue.



            Regarding the way an app is registered, there is indeed a difference:
            - if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
            - if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
            If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 4 at 14:21









            bandreasbandreas

            2671418




            2671418













            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21



















            • As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

              – SunnySun
              Jan 9 at 7:20











            • However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

              – SunnySun
              Jan 9 at 7:21

















            As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

            – SunnySun
            Jan 9 at 7:20





            As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no accessTokenAcceptedVersion for the v1 app.

            – SunnySun
            Jan 9 at 7:20













            However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

            – SunnySun
            Jan 9 at 7:21





            However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no accessTokenAcceptedVersion. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion is null, so suggest you do not check v1 app manifest in the app registration(preview).

            – SunnySun
            Jan 9 at 7:21


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            'app-layout' is not a known element: how to share Component with different Modules

            Image
            0 My application was working fine until I decided to go with lazy loading: So, my shared component looks like this: import { Component, Renderer2 } from '@angular/core'; export interface FormModel { captcha?: string; } @Component({ selector: 'app-layout', templateUrl: './app-layout.component.html', styleUrls: ['./app-layout.css'] }) export class FullLayoutComponent { } app-layout.component.ts I am using this component in my Another component say school-home.component.html like this: <app-layout> </app-layout> and it was working fine until I created a Module school-home.module.ts like this: import { NgModule } from '@angular/core'; import { CommonModule } from '@angular/common'; import { SchoolhomeRoutingModule
            Read more

            android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 This is a simple project showing cubes on Unity, exported to android project and imported on Android studio. On maifest file it showed following warning: Expecting <uses-feature android:name="android.software.leanback" android:required="false" /> tag I have no information about it. And also on default emptyview android project does not use/mention this feature. I know it is required by TV's and such but why its not added by default? Why is this? And Should I concern about it? android unity3d
            Read more

            SQL update select statement

            Image
            0 I'm trying to update an entry in my database (postgresql). I'm having a problem with updating the query: INSERT INTO prices (price, product_id) SELECT product_price, commn_id FROM products_temp as prod WHERE NOT EXISTS (SELECT * FROM prices od WHERE prod.commn_id = od.product_id) OR prod.product_price != ( SELECT price FROM prices as p WHERE p.product_id = prod.commn_id order by p.end desc LIMIT 1 ) Query works fine when i delete: OR prod.product_price != ( SELECT price FROM prices as p WHERE p.product_id = prod.commn_id order by p.end desc LIMIT 1 ) So it seems to me that it's looping through this operation. My question is, how can I fix it? sql postgresql
            Read more