Azure AD access token not JWT

James 6 Reputation points
2022-10-29T01:48:04.887+00:00

Hi all,

I'm writing a web app with my own back-end API. I've successfully integrated the web app with SSO to Azure AD. The web app reverse proxies to the back-end API providing the authentication bearer the access token. i believe i'm following the recommended flow.

The token as received by back-end API is not in JWT format. its 600+ bytes in length. I've read there are other formats which Azure AD supports, but they are generally only used on Microsoft APIs and not readable or validatable by others.

I'm use the OIDC Provider Meta URL: https://sts.windows.net/d989a3a0-9761-4e01-844b-fef2b7c1396c/.well-known/openid-configuration

I've tried lots of different settings in Azure AD, but still struggling to get it in JWT format.

Initially i assumed it was encrypted or encoded or both, but i think its just a Microsoft proprietary format.

Can someone shed some light on this, I'm quite new to this technology.

Any help would be very much appreciated.

Cheers

James

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,760 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James 6 Reputation points
    2022-10-29T09:44:14.463+00:00

    Answered my own question.

    Basically followed the very good video at https://www.youtube.com/watch?v=59YwW8FrLm8

    and also made sure my OIDC scope was set, without it you will get an unreadable auth token.

    i'm using apache httpd mod_auth_openidc, my config looks like:

    OIDCProviderMetadataURL https://login.microsoftonline.com/d989a3a0-9761-4e01-844b-fef2b7c1396c/.well-known/openid-configuration
    OIDCRedirectURI http://localhost/foo
    OIDCClientID 59d7f244-6541-464b-9ea4-6cdba60509b1
    OIDCClientSecret .............
    OIDCCryptoPassphrase .................
    OIDCScope api://9e59d98b-d747-4a9a-96fd-178f04d08b02

    OIDCRemoteUserClaim upn
    OIDCPassClaimsAs headers

    ProxyPass /foo http://localhost:1234
    ProxyPassReverse /rest http://localhost:1234

    <Location /foo>
    AuthType openid-connect
    Require valid-user
    </Location>

    this proxies to my restapi with http request header containing:

    OIDC_access_token: eyJ0eXAiOiJKV1QiLCJhbGci....