科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>oauth 2.0 - Why does Entra ID return unreadable access tokens from the common endpoint? - Stack Overflow

    oauth 2.0 - Why does Entra ID return unreadable access tokens from the common endpoint? - Stack Overflow

    programmeradmin0浏览0评论

    I've read that Entra ID's OIDC implementation can sometimes return 'opaque' access tokens that are intended to be used only for Graph APIs. But in my configuration, I seem to be getting tokens that aren't readable JWTs in any way, and Graph doesn't accept them.

    This only happens when I use the common login endpoint, . If I use /{tenant}/v2.0, the access token can be decoded as a JWT, and I get a valid response when I hit .0/me with that token. (Eventually I'll need to support users from multiple tenants, so that's not a long term solution.)

    The opaque tokens I get from /common all something like the below. They don't have '.'s to separate the parts of a JWT, and Graph complains that it's not a valid JWS or JWE.

    PAQABAQIAAABVrSpeuWamRam2jAF1XRQEwRtpfC8JWN2UR...

    Graph error:

    Unable to validate token with Microsoft Graph. Response (json): {"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.). The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EncodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'."

    Access to my application is determined by the user's membership to a security group in Entra ID. So in the end I'll need a Graph token to fetch the their user groups, and that's just as useful as a token for my specific app. (I know you can include groups in the id_token, but there can be overflow issues if the user is in too many groups).

    I've tried other strategies like exposing an API on my app registration and exchanging a token for my API for a Graph token using the on-behalf-of flow. I hit other issues there, and I could go back to that if it's the right answer. But I'd like to understand why these endpoints are behaving differently and if there's any way to get the common endpoint to behave like the tenant-specific one.

    I have a SPA app that uses an OIDC library, oidc-client-ts. My scopes are:

    openid email offline_access

    The SPA sends the access & ID tokens to a Spring API that that calls Graph to fetch the users security groups. Please let me know if there are other details that might be relevant.

    Thank you.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论