[OIDC] Configure App registration to return non opaque access token

Question

Is there a way to have the oidc endpoint of entraid return a JWT access token instead of an opaque token?

In the documentation there are multiple examples of JWT style ATs instead of opaque ones:

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens

Answer 1

Hi@Jan

Yes, it's possible to get JWT Access tokens with AuthCodeFlow. Follow below steps:

1.Register an Enterprise Application with Redirect URI.

Add User. Read delegated permissions which Allows users to sign-in to the app and allows the app to read the profile of signed-in users.
Based on your requirement you can add scopes.

2.Open Browser and Request an authorization code with below URL

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={Application-Id}
&response_type=code
&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient(URL encoded)
&response_mode=query
&scope=user.read

users have to enter their credentials and complete the authentication. Once the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated redirect Uri.

3.Request an JWT access token using the Postman

Set method as POST.
Content-Type : application/x-www-form-urlencoded
URL:https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id= Application_id
scope=user.read
code= {The code acquired in previous step}
redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient
grant_type=authorization_code

Use Jwt.ms to decode your access token.

Hope this helps. Do let us know if you any further queries.

Thanks,
Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi@Jan

Thank you for posting this in Microsoft Q&A.

I understand you are looking for a way to have the OIDC endpoint of Entra Id return a JWT access token instead of an opaque token.

Yes, there are way to have the OIDC endpoint of Entra ID return a JWT access token instead of an opaque token. To get JWT access token Follow below steps:

Register an Enterprise application.

1.Sign into the Microsoft Entra admin center
2.Browse to Identity > Applications > App registrations and select new registration.
3.Enter a display Name for your application and select supported account type then click on Create.
4.Select Expose an API ->Add Application ID then add scope.

5.Select the API permissions -> Select Add a permission -> Add the scope which you added earlier step -> then select Grant admin consent.

6.Select Certificates & Secrets blade - Add Client_Secret as below

Use Postman to get JWT access token.

Set method as POST.
Headers: Content-Type: application/x-www-form-urlencoded
URL: https://login.microsoftonline.com/{tenant-Id}/oauth2/v2.0/token
grant_type : client_credentials
client_id : ApplicationId
scope : {api://AppId/.default}
client_secret: application client-secret

Like this way you can get JWT access token

You can use www.jwt.io to validate your JWT access token.

For your reference: OAuth 2.0 client credentials flow

Hope this helps. Do let us know if you any further queries.

Thanks,
Navya

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.