Share via

Getting the V1.0 token for access token (but getting v2.0 token for id token) - Azure AD - B2B

Mathew James 26 Reputation points
2021-03-22T13:29:23.527+00:00

Scenario:-

  1. Created an App registration. Exposed permission for Graph API with scopes ["openid", "profile", "offline_access", "User.Read"].
  2. In the Authentication blade I have configured SPA (and not Web). I have changed accessTokenAcceptedVersion = 2 (instead of null).
  3. I have a React app utilizing Azure AD authentication using MSAL.js 2.0 against this Client ID and tenant ID. Passing the same scopes from React App (in MSAL JS Authcofig) ["openid", "profile", "offline_access", "User.Read"].
  4. After successful sign in, in the access token I always get token version as 1.0 and issuer as sts.windows.net. (it also says invalid signature when pasted in jwt.io). Also we get the scopes as ["openid", "profile", "email", "User.Read"].
  5. its not matching with what we passed. No idea how "email" is added and "offline_access" is deleted.
  6. For Id token - the issuer is https://login.microsoftonline.com/{my-tenant-id}/v2.0 and token version is v2.0
  7. We are calling https://login.microsoftonline.com/{my-tenant-id}/v2.0/.well-known/openid-configuration

Please help me and let me know why I am not getting v2.0 tokens for access token.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.