How to use OAuth flow for Windows login with the access token ?
How can I use the SAML assertion from Entra ID to exchange the Access Token from Entra ID ? I would like to use the Access Token to login windows .
Microsoft Entra ID
-
CheeWill • 0 Reputation points
2025-01-03T03:32:24.23+00:00 -
BANDELA Siri Chandana • 1,390 Reputation points • Microsoft Vendor
2025-01-03T17:57:45.8633333+00:00 Hi @CheeWill
Thank you for posting your query on Microsoft Q&A.
I understand that you are trying to use OAuth flow for Windows login with the access token.
The OAuth 2.0 SAML bearer assertion flow allows you to request an OAuth access token using a SAML assertion when a client needs to use an existing trust relationship.
The SAML assertion is posted to the OAuth token endpoint. The endpoint processes the assertion and issues an access token based on prior approval of the app.
Create a POST request to the AD FS endpoint using SOAP envelope to fetch the SAML assertion.
Fetch an OAuth 2.0 token using the AD FS assertion response.
This type of flow supports users authenticating with identity providers such as Active Directory Federation Services (ADFS) to Azure Active Directory. The SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user.
Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/v2-saml-bearer-assertion
Kindly refer the source document: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-token-exchange-saml-oauth#scenario-you-have-a-saml-token-and-want-to-call-the-graph-api
Hope this helps. Do let us know if you have any further queries.
Thanks,
B. Siri Chandana.
-
BANDELA Siri Chandana • 1,390 Reputation points • Microsoft Vendor
2025-01-06T05:32:55.68+00:00 Hi @CheeWill
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. -
BANDELA Siri Chandana • 1,390 Reputation points • Microsoft Vendor
2025-01-07T04:05:30.1833333+00:00 Hi @CheeWill
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. -
CheeWill • 0 Reputation points
2025-01-10T10:29:05.6533333+00:00 Thank you for your response. However, your answer does not solve my problem for the following reason:
1.I am currently using the SAML 2.0 protocol to connect to Entra ID, not ADFS.
2.According to https://learn.microsoft.com/en-us/entra/identity-platform/v2-saml-bearer-assertion, SAMLv2 tokens issued by Microsoft Entra ID cannot be exchanged for OAuth 2.0 access tokens.
3.Is there a corresponding sample for https://learn.microsoft.com/en-us/entra/identity-platform/scenario-token-exchange-saml-oauth#scenario-you-have-a-saml-token-and-want-to-call-the-graph-api
-
CheeWill • 0 Reputation points
2025-01-10T10:31:21.0166667+00:00 Thank you for your response. However, your answer does not solve my problem for the following reason:
1.I am currently using the SAML 2.0 protocol to connect to Entra ID, not ADFS.
2.According to https://learn.microsoft.com/en-us/entra/identity-platform/v2-saml-bearer-assertion, SAMLv2 tokens issued by Microsoft Entra ID cannot be exchanged for Microsoft Graph access tokens.
3.Is there a corresponding sample for https://learn.microsoft.com/en-us/entra/identity-platform/scenario-token-exchange-saml-oauth#scenario-you-have-a-saml-token-and-want-to-call-the-graph-api?
-
BANDELA Siri Chandana • 1,390 Reputation points • Microsoft Vendor
2025-01-15T02:46:35.7166667+00:00 Hi @CheeWill
Users get authenticated to Entra ID through access token whenever you login into windows.
Follow the document: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-token-exchange-saml-oauth#scenario-you-have-a-saml-token-and-want-to-call-the-graph-api
In the above document provided you use the session cookie to authenticate. If session cookie is present based on your request, you can get SAML, or OAuth access tokens and we don't explicitly exchange access token.
Hope this helps. Do let us know if you have any further queries.
Thanks,
B. Siri Chandana.
-
CheeWill • 0 Reputation points
2025-01-15T17:00:32.54+00:00 Thank you for your answers. I
1、 Is there any win32 API to get the windows machine deviceId which is entra Joined?
The Access Token scope parameter in all requests must be specified in one of two ways:
- Using the server’s AAD Device ID: "ms-device-service://termsrv.wvd.microsoft.com/id/<device_id>/user_impersonation", where device_id is the server’s AAD Device ID.
- Using the server’s hostname: "ms-device-service://termsrv.wvd.microsoft.com/name/<host_name>/user_impersonation", where host_name is the server’s hostname.
2、is there any doucument about cloudap? I would like to use the Access Token to login windows .
Sign in to comment