Azure AD - how to obtain v2 access token
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123
Yet, it seems that I get a 'v1' access token.
What am I doing wrong?
azure-active-directory
add a comment |
Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123
Yet, it seems that I get a 'v1' access token.
What am I doing wrong?
azure-active-directory
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24
add a comment |
Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123
Yet, it seems that I get a 'v1' access token.
What am I doing wrong?
azure-active-directory
Using Azure AD, OIDC implicit flow, I can obtain an access token from a v2 endpoint.
The authorization endpoint I am using looks like this:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://localhost:44321/signin-oidc&response_type=id_token%20token&scope=openid%20api%3A%2F%2Fdev-api-gateway%2FAtlas&response_mode=form_post&nonce=123
Yet, it seems that I get a 'v1' access token.
What am I doing wrong?
azure-active-directory
azure-active-directory
asked Jan 3 at 11:31
bandreasbandreas
2671418
2671418
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24
add a comment |
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24
add a comment |
2 Answers
2
active
oldest
votes
The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.
On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123
And to parse access_token:
add a comment |
Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
Initially it was 'null' but I've changed it to '2' (as below).
According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.
Thanks for the lead on this issue.
Regarding the way an app is registered, there is indeed a difference:
- if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
- if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is noaccessTokenAcceptedVersion
for the v1 app.
– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has noaccessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), theaccessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).
– SunnySun
Jan 9 at 7:21
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.
On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123
And to parse access_token:
add a comment |
The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.
On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123
And to parse access_token:
add a comment |
The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.
On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123
And to parse access_token:
The acquired token version is related to your access resource that is protected by v1 endpoint or v2 endpoint.
On my side, the API is protected in v2 endpoint, so it returned the v2 access_token.
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=https://snv2app.azurewebsites.net&response_type=id_token+token&scope=openid api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read&response_mode=fragment&nonce=123
And to parse access_token:
edited Jan 4 at 8:38
answered Jan 4 at 2:17
SunnySunSunnySun
1,523118
1,523118
add a comment |
add a comment |
Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
Initially it was 'null' but I've changed it to '2' (as below).
According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.
Thanks for the lead on this issue.
Regarding the way an app is registered, there is indeed a difference:
- if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
- if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is noaccessTokenAcceptedVersion
for the v1 app.
– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has noaccessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), theaccessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).
– SunnySun
Jan 9 at 7:21
add a comment |
Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
Initially it was 'null' but I've changed it to '2' (as below).
According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.
Thanks for the lead on this issue.
Regarding the way an app is registered, there is indeed a difference:
- if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
- if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is noaccessTokenAcceptedVersion
for the v1 app.
– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has noaccessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), theaccessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).
– SunnySun
Jan 9 at 7:21
add a comment |
Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
Initially it was 'null' but I've changed it to '2' (as below).
According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.
Thanks for the lead on this issue.
Regarding the way an app is registered, there is indeed a difference:
- if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
- if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.
Thank you for enlightening me that there are differences in how an App (representing the Resource) is registered.
Basically the difference itself is made by the 'accessTokenAcceptedVersion' field in the App's Manifest.
Initially it was 'null' but I've changed it to '2' (as below).
According to docs, the 'null' value should as well permit v2 tokens - it is a issue on AAD's side, in 'Open' state.
Thanks for the lead on this issue.
Regarding the way an app is registered, there is indeed a difference:
- if it was done in azure portal than the 'accessTokenAcceptedVersion' field of manifest is set to 'null'
- if it was done in the app registration portal (https://apps.dev.microsoft.com) than it defaults to '2'
If there wouldn't be the issue (bug) mentioned above, this shouldn't make a difference.
answered Jan 4 at 14:21
bandreasbandreas
2671418
2671418
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is noaccessTokenAcceptedVersion
for the v1 app.
– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has noaccessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), theaccessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).
– SunnySun
Jan 9 at 7:21
add a comment |
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is noaccessTokenAcceptedVersion
for the v1 app.
– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has noaccessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), theaccessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).
– SunnySun
Jan 9 at 7:21
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no
accessTokenAcceptedVersion
for the v1 app.– SunnySun
Jan 9 at 7:20
As I know, there should be no difference for azure portal and app registration portal. You could register an app (Converged applications-v2, Azure AD only applications-v1) in the app registration portal, when you check their manifest, you could find there is no
accessTokenAcceptedVersion
for the v1 app.– SunnySun
Jan 9 at 7:20
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no
accessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).– SunnySun
Jan 9 at 7:21
However, in azure portal, the app registration is for the v1 app, app registration(preview) is for the v2 app, you could check the v1 app manifest in app registration, it also has no
accessTokenAcceptedVersion
. But v2 app registration is still preview in azure portal, if you check v1 app manifest in the app registration (preview), the accessTokenAcceptedVersion
is null, so suggest you do not check v1 app manifest in the app registration(preview).– SunnySun
Jan 9 at 7:21
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54021452%2fazure-ad-how-to-obtain-v2-access-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you including the proper scopes? stackoverflow.com/questions/45852984/…
– Marilee Turscak - MSFT
Jan 3 at 20:31
that one is a different issue so far as I can see: they could not obtain an access token. My issue was that I was expecting an access token 'v2' but i was getting a 'v1' access token. The content of the tokens are slightly different: docs.microsoft.com/ro-ro/azure/active-directory/develop/…
– bandreas
Jan 4 at 14:24