[OIDC] Configure App registration to return non opaque access token

Jan 20 Reputation points
2023-12-05T09:42:04.5033333+00:00

Is there a way to have the oidc endpoint of entraid return a JWT access token instead of an opaque token?

In the documentation there are multiple examples of JWT style ATs instead of opaque ones:

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,554 questions
{count} votes

Accepted answer
  1. Navya 6,615 Reputation points Microsoft Vendor
    2023-12-07T12:06:25.5233333+00:00

    Hi@Jan

    Yes, it's possible to get JWT Access tokens with AuthCodeFlow. Follow below steps:

    1.Register an Enterprise Application with Redirect URI.
    User's image

    Add User. Read delegated permissions which Allows users to sign-in to the app and allows the app to read the profile of signed-in users.
    Based on your requirement you can add scopes.
    User's image

    2.Open Browser and Request an authorization code with below URL

    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={Application-Id}
    &response_type=code
    &redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient(URL encoded)
    &response_mode=query
    &scope=user.read
    

    users have to enter their credentials and complete the authentication. Once the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated redirect Uri.
    User's image

    3.Request an JWT access token using the Postman

    Set method as POST.
    Content-Type : application/x-www-form-urlencoded
    URL:https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    client_id= Application_id
    scope=user.read
    code= {The code acquired in previous step}
    redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient
    grant_type=authorization_code
    User's image

    Use Jwt.ms to decode your access token.

    Hope this helps. Do let us know if you any further queries.

    Thanks,
    Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Navya 6,615 Reputation points Microsoft Vendor
    2023-12-05T11:43:50.6666667+00:00

    Hi@Jan

    Thank you for posting this in Microsoft Q&A.

    I understand you are looking for a way to have the OIDC endpoint of Entra Id return a JWT access token instead of an opaque token.

    Yes, there are way to have the OIDC endpoint of Entra ID return a JWT access token instead of an opaque token. To get JWT access token Follow below steps:

    Register an Enterprise application.

    1.Sign into the Microsoft Entra admin center
    2.Browse to Identity > Applications > App registrations and select new registration.
    3.Enter a display Name for your application and select supported account type then click on Create.
    4.Select Expose an API ->Add Application ID then add scope.
    User's image

    5.Select the API permissions -> Select Add a permission -> Add the scope which you added earlier step -> then select Grant admin consent.
    User's image

    6.Select Certificates & Secrets blade - Add Client_Secret as below
    User's image

    Use Postman to get JWT access token.

    Set method as POST.
    Headers: Content-Type: application/x-www-form-urlencoded
    URL: https://login.microsoftonline.com/{tenant-Id}/oauth2/v2.0/token
    grant_type : client_credentials
    client_id : ApplicationId
    scope : {api://AppId/.default}
    client_secret: application client-secret
    User's image

    Like this way you can get JWT access token

    You can use www.jwt.io to validate your JWT access token.

    For your reference: OAuth 2.0 client credentials flow

    Hope this helps. Do let us know if you any further queries.

    Thanks,
    Navya

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.