Fetching user data from access token received from NextAuth.

Question

Fetching user data from access token received from NextAuth.

Aashutosh Aryal 45

I am trying to use NextAuth for next.js with Azure Active directory for single-sign-on. I followed the guide on Microsoft's identity platform quickstart guide: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

I receive an id_token and an access_token. I want to use one of these tokens get information about the user. I am able to decode the id_token but I get a Signature verification failed error when trying to decode the access_token.

What would be the proper way to achieve what I am trying to do?
What I am trying to accomplish: Get an authorization token (access or id token) from the frontend (Nextauth) and then the backend uses the token to retrieve user information like first name, last name, etc.

I looked into MSAL but it seems to be only for acquiring tokens and this has already been handled by Nextauth.

Aashutosh Aryal 45 Reputation points

2023-11-03T02:55:06.9866667+00:00

Thank you for the information.

How should i handle the redirect url in my second application (python backend) since I am just consuming the token i received from the fronted in a post request route where I intend to use msal to acquire the token via OBO flow. What should the redirect url be?
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-03T06:56:22.63+00:00

Hi @Aashutosh Aryal ,

As you mentioned you are using OBO flow means that you referring web API .Web APIs don't need to register a redirect URI because no user is interactively signed in.

For your reference to register application
Aashutosh Aryal 45 Reputation points

2023-11-03T07:48:44.2566667+00:00
Thank you. I figured that out but I am encountering another issue.

Obo flow does not work for users outside the organization even though the app is set to "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". Is this also the reason for the issue: https://learn.microsoft.com/en-us/answers/questions/1412039/difference-in-amount-of-information-provided-by-oc ? Also, the access token obtained from OBO flow does not seem to work with graph api with the error:

As you instructed, I created an app for the frontend and exposed an api. I then created another app and added the frontend's client id as the application client.

In the frontend from nextjs, i used the frontends api scope to obtain the access token. I then created a client in the backend as:

app = ConfidentialClientApplication( client_id=AZURE_FE_CLIENT_ID, client_credential=AZURE_FE_CLIENT_SECRET, ) result = app.acquire_token_on_behalf_of( user_assertion=ACCESS_TOKEN, scopes=["<My backend scope>"] )

However, the token obtained in the result variable fails with Invalid audience.

Thank you for your time and patience.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-07T04:31:46.23+00:00
Hi@Aashutosh Aryal

This Error AADSTS500202 occurs in different scenarios.

If you use https://login.microsoftonline.com/<YourTenantNameOrID>, users from other organizations can't access the application.

To fix issue use the corresponding sign-in URL for the specific application type, as listed in the following table:

For your reference: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist

Error InvalidAuthneticationToken:
An access token has an audience (aud claim) that specifies what API it is meant for. Your client app needs to use your API's client id or application ID URI as the resource. This way you get an access token that is meant for your API.

Please check your application have define these parameters.

Resource URI - Configure Application ID URI as api://{clientId}

Scopes (delegated Permissions) - Add scope then add a client application this is pre-authorized client app (PCA), and users won't be prompted for their consent when signing into it.

App roles (Application Permission) - Create App roles to your application then Assign app roles to applications by going through API permission. Grant admin consent - API permissions pane -> select Grant admin consent for <tenant name> -> Select yes when prompted to grant consent for the requested permissions. Hopes above information helps. Do let us know if you have any queries.

Thanks,
Navya.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-10T12:30:05.99+00:00

Hi @Aashutosh Aryal ,

If the information has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-14T09:14:00.0666667+00:00

Hi @Aashutosh Aryal

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. If you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

Aashutosh Aryal 45 Reputation points

2023-11-03T02:55:06.9866667+00:00

Thank you for the information.

How should i handle the redirect url in my second application (python backend) since I am just consuming the token i received from the fronted in a post request route where I intend to use msal to acquire the token via OBO flow. What should the redirect url be?
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-03T06:56:22.63+00:00

Hi @Aashutosh Aryal ,

As you mentioned you are using OBO flow means that you referring web API .Web APIs don't need to register a redirect URI because no user is interactively signed in.

For your reference to register application
Aashutosh Aryal 45 Reputation points

2023-11-03T07:48:44.2566667+00:00

Thank you. I figured that out but I am encountering another issue.

Obo flow does not work for users outside the organization even though the app is set to "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". Is this also the reason for the issue: https://learn.microsoft.com/en-us/answers/questions/1412039/difference-in-amount-of-information-provided-by-oc ? Also, the access token obtained from OBO flow does not seem to work with graph api with the error:

As you instructed, I created an app for the frontend and exposed an api. I then created another app and added the frontend's client id as the application client.

In the frontend from nextjs, i used the frontends api scope to obtain the access token. I then created a client in the backend as:

app = ConfidentialClientApplication( client_id=AZURE_FE_CLIENT_ID, client_credential=AZURE_FE_CLIENT_SECRET, ) result = app.acquire_token_on_behalf_of( user_assertion=ACCESS_TOKEN, scopes=["<My backend scope>"] )

However, the token obtained in the result variable fails with Invalid audience.

Thank you for your time and patience.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-07T04:31:46.23+00:00

Hi@Aashutosh Aryal

This Error AADSTS500202 occurs in different scenarios.

If you use https://login.microsoftonline.com/<YourTenantNameOrID>, users from other organizations can't access the application.

To fix issue use the corresponding sign-in URL for the specific application type, as listed in the following table:

For your reference: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist

Error InvalidAuthneticationToken:
An access token has an audience (aud claim) that specifies what API it is meant for. Your client app needs to use your API's client id or application ID URI as the resource. This way you get an access token that is meant for your API.

Please check your application have define these parameters.

Resource URI - Configure Application ID URI as api://{clientId}

Scopes (delegated Permissions) - Add scope then add a client application this is pre-authorized client app (PCA), and users won't be prompted for their consent when signing into it.

App roles (Application Permission) - Create App roles to your application then Assign app roles to applications by going through API permission. Grant admin consent - API permissions pane -> select Grant admin consent for <tenant name> -> Select yes when prompted to grant consent for the requested permissions. Hopes above information helps. Do let us know if you have any queries.

Thanks,
Navya.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-10T12:30:05.99+00:00

Hi @Aashutosh Aryal ,

If the information has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2023-11-14T09:14:00.0666667+00:00

Hi @Aashutosh Aryal

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. If you have any further query do let us know.

Answer 1

Hi @Aashutosh Aryal , thanks for reaching us.
I understand you trying to use NextAuth for next.js with Azure Active directory for single-sign-on. You will be able to decode the id_token but get a Signature verification failed error when trying to decode the access token.

Register two applications in Azure AD for Front-end and Back-end.

Sign into the Azure portal -> select Azure Active Directory in the tenant ->register the application.

User's image

Create second application as followed above step.

To use OAuth 2.0 On-Behalf-Of flow (OBO) to get access tokens. Scope should be the Api://{client_id} so that no consent is required.

Azure active directory ->App registration -> select your Application

->Expose an API ->Add an Application ID URI as api://{clientid}

->Add scope and Client Application.

User's image

Go to second application ->Expose an API and add Application1 API as client application.
User's image

Use www.jwt.io to validate your access token.

• audience - Verifies that the ID token was intended to be given to your application. Access tokens are created based on the audience of the token,
meaning the application that owns the scopes in the token.
• not before and expiration time - Verifies that the ID token hasn't expired.
• issuer - Verifies that the token was issued to your application by Azure AD.
• nonce - A strategy for token replay attack mitigation.

To get User information using access token, you can use Graph API and make sure to use authorization as Bearer Token.

For your reference: https://microsoft.github.io/MicrosoftCloud/tutorials/docs/Authentication-App-With-NextJs-And-Microsoft-Graph/

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

Thanks,

Navya.

Hopes this helps. Do let us know if you have any queries.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Fetching user data from access token received from NextAuth.

0 additional answers

Your answer