How to retrieve Azure AD bearer token from browser once logged in to any microsoft application?

Question

While trying to implement a SSO for custom application that uses Azure AD login, to implement the below case, we need to get the access/bearer token ( value from a logged in microsoft application) send to custom application(uses Azure AD credentials) to complete the login.

Case 1: The user login to a microsoft application (eg: ERP / office.com) using Azure AD login and login is success. Then the same user tries to login to the custom application, here we need to pass the access/Bearer token that is already created by initial login of any microsoft application , so that custom application can send the bearer token in a API call and create authorization values needed for custom application and thus, can make the custom application successfully logged in making it look like a SSO as both uses Azure AD credentials to login.

Issue : Not able to retrieve the bearer token that's being created by microsoft application when logged in. Where is the access Token stored once logged in for microsoft application in front end/ browser/.net core?

Tech Stack : Front end , we are using Angular 5, ADAL, Adal-angular library to implement Azure AD login.

Questions :

1. Can we get the bearer token using any of the ADAL functions in the custom applications before calling the authenticationContext.login()?
2. Once a microsoft application logs in , is the bearer token stored somewhere for reference? So that in another tab, when the ser tries to login to another microsoft application , it does SSO and logs in.
3. How do you check the validity of the access token when trying to login to another microsoft application?

Answer 1

Hello @Amrutha Raphael , thank you for reaching out. There is no way to fetch the access-token from any application that uses MSAL/ADAL as the library, be it a first-party app like office365 apps or any other third party applications. These libraries used something called an application cache and refresh token is stored in the application cache so that it can be used later on for fetching new accessing tokens and maintain the session.

One of the other things that can be done is utilizing the PRT (Primary Refresh Token) which is used by all first-party apps to maintain the SSO. Not sure totally if you can use that with third-party apps or not. You can read more on PRTs here: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

But as far as the access-token is concerned, you would have to fetch an access-token for each individual app as that's what we recommend. You can use the OAuth 2.0 flows and fetch an access-token from AAD using the preferred OAuth 2.0 flow.

I would suggest, add independent authentication with AAD using the recommended library i.e MSAL and fetch the access-tokens from AAD. That way things would be cleaner and more secure. You can refer to the following doc to check on the different samples available in various programming languages and all implement OIDC to get the users authenticated to AAD and then use MSAL to fetch the Access-tokens from AAD.: https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.