Share via

Query Regarding Azure Active Directory Authentication Tokens

Saket 0 Reputation points
2024-05-13T03:34:21.0666667+00:00

I am writing to seek assistance regarding an issue I am encountering with Azure Active Directory authentication tokens in my application.

Currently, I am utilizing Microsoft Azure Active Directory for authentication and authorization within my application environment. The setup involves multiple microservices, with one microservice acting as an API gateway[entry point]. The primary function of this gateway service is to authenticate users and subsequently route API requests to specific microservices. Once authenticated, the API gateway routes the requests to the appropriate microservice along with the ID token.

However, I have encountered an issue with the tokens provided by Azure AD upon successful authentication. Specifically, Azure AD provides two tokens: an access token and an ID token. While I have assigned roles to users from the Azure AD dashboard, I have noticed that these roles are only present in the ID token and not in the access token.

Usually ID token is not used for authorization, Access token is the one which is used for authorization. Currently i have modified my code in gateway service to forward ID token instead of access token.

My requirement is to have the roles included in the access token instead of solely in the ID token. This is crucial for seamless authorization within the microservices architecture.

Could you please advise if there is a way to configure Azure Active Directory to include roles in the access token? Any guidance or best practices on how to achieve this would be greatly appreciated.

Thanks and regards.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,859 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,511 Reputation points Microsoft Employee
    2024-05-15T08:24:51.76+00:00

    @Saket

    From above description I could understand that you are looking to add roles of member/guest while signing into the application to access token rather then ID token

    Please do correct me if this is not the ask.

    As per : Add app roles to your application and receive them in the token. This is by design:

    When the app role is set to enabled, any users, applications or groups who are assigned has it included in their tokens. These can be access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user.

    • Ensure that application have Implicit and hybrid grants flow enabled:

    270492-image.png

    • The endpoint must be hitting organization endpoint and not common/personal, as they would not emit the roles. Given is the example

    https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?
    client_id={Application ID}
    &response_type=code&id_token
    &redirect_uri=http://localhost/myapp/
    &response_mode=query
    &scope=openid&https://graph.microsoft.com/mail.read
    &state=12345
    &nonce=abcde

    • Extract the code from request you sent above:

    270453-image.png

    • The id_token will contain the user app roles assigned to the guest user and endpoint with tenant id:

    270455-image.png

    • The access_token will contain the User info, tenant id and wids claim (contain user permission templates GUID)

    270416-image.png

    If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments