admin管理员组

文章数量:1345724

I've read that Entra ID's OIDC implementation can sometimes return 'opaque' access tokens that are intended to be used only for Graph APIs. But in my configuration, I seem to be getting tokens that aren't readable JWTs in any way, and Graph doesn't accept them.

This only happens when I use the common login endpoint, . If I use /{tenant}/v2.0, the access token can be decoded as a JWT, and I get a valid response when I hit .0/me with that token. (Eventually I'll need to support users from multiple tenants, so that's not a long term solution.)

The opaque tokens I get from /common all something like the below. They don't have '.'s to separate the parts of a JWT, and Graph complains that it's not a valid JWS or JWE.

PAQABAQIAAABVrSpeuWamRam2jAF1XRQEwRtpfC8JWN2UR...

Graph error:

Unable to validate token with Microsoft Graph. Response (json): {"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.). The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EncodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'."

Access to my application is determined by the user's membership to a security group in Entra ID. So in the end I'll need a Graph token to fetch the their user groups, and that's just as useful as a token for my specific app. (I know you can include groups in the id_token, but there can be overflow issues if the user is in too many groups).

I've tried other strategies like exposing an API on my app registration and exchanging a token for my API for a Graph token using the on-behalf-of flow. I hit other issues there, and I could go back to that if it's the right answer. But I'd like to understand why these endpoints are behaving differently and if there's any way to get the common endpoint to behave like the tenant-specific one.

I have a SPA app that uses an OIDC library, oidc-client-ts. My scopes are:

openid email offline_access

The SPA sends the access & ID tokens to a Spring API that that calls Graph to fetch the users security groups. Please let me know if there are other details that might be relevant.

Thank you.

本文标签: oauth 20Why does Entra ID return unreadable access tokens from the common endpointStack Overflow

版权声明:本文标题:oauth 2.0 - Why does Entra ID return unreadable access tokens from the common endpoint? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743741926a2531051.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。