Login.live Opaque Access Token
I currently try to create a Website where i'm amble to login with microsoft (Microsoft Entra ID) and also get data from minecraft if the user has minecraft connected to his account.
Therefore i used the authorization_code flow for login.live.com using the spec https://login.live.com/.well-known/openid-configuration:
GET https://login.live.com/oauth20_authorize.srf?
client_id=xxx&
scope=XboxLive.signin+XboxLive.offline_access+openid+profile+offline_access&
redirect_uri=http://localhost:8080/redirect&
response_type=code&
response_mode=query&
nonce=xxx&
tenant=consumers
What i get is the authorization code
Now if i try to get the tokens:
POST https://login.live.com/oauth20_token.srf?
client_id=xxx&
client_secret=xxx&
code=xxx&
redirect_uri=http://localhost:8080/redirect&
grant_type=authorization_code
Response:
{
"token_type": "bearer",
"expires_in": 3600,
"scope": "XboxLive.signin XboxLive.offline_access",
"access_token": "EwAoxxx",
"refresh_token": "M.C527xxx",
"id_token": "eyJ0eXAixxx"
}
The problem that i now have, is that the access token is a Opaque Token.
There is no token introspection endpoint to validate the token neither any documentation to change the access-token response to a JWT instead.
My Bff has all 3 tokens stored and can authenticate requests, but my internal api's authenticate request via access-tokens, so here i'm not able to handle the forwarded access-token from the BFF.
Here is my flow:
Post on stackoverflow: https://stackoverflow.com/questions/79235827/spring-oauth2-flow-with-azure-ad