Share via

Azure AD Opaque Token Validation

Jimmy 25 Reputation points
2023-12-14T03:37:39.59+00:00

In Azure Ad, If you have a client application (SPA) in which the user signs in, then in backend you receive the access token (opaque not jwt) what do you do validate the (AUD or appId or clientId) of the token. You can verify the token by calling Graph API, but how can you verify that this token was specifically generated for your app, or I don't need to validate that?

  • In Facebook Graph, they have an API called (Debug Token), after research I found that Azure doesn't provide a similar api.

 

PS:

 

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-12-14T06:40:26.23+00:00

    Hi @Jimmy ,

    Thanks for reaching out.

    Unfortunately, Microsoft Entra ID or Micrsoft Graph does not support introspection and opaque tokens.

    Token introspection doesn't use a JWT format for the token. Instead, token introspection uses an opaque string that the resource API can't interpret. The resource API sends the token to the identity provider on each call. The identity provider then checks for any conditions and returns data that the resource API can use to complete the operation. But this is expensive approach, so Micrsoft comes up with remedy using CAE.

    Reference: https://learn.microsoft.com/en-us/security/zero-trust/develop/secure-with-cae

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.