Implicitly getting access token for app1 using app2 resource in Azure active directory

Question

Implicitly getting access token for app1 using app2 resource in Azure active directory

Kapil, A (Apurva) 21

Hello,

While developing Application based OAuth flow, we identify that application1 can request access token for another application2 using resource id(application id) implicitly.

However this shouldn't be a case there should be a proper access mechanism for application1 to request access token for application2.

Current Scenarios:

Provider creates an application(Application2) in AAD and adds app roles.

Consumer creates an application(Application1) in AAD and use Application2's application id to get a access token.

Output:

Application1 receives an access token with no app-roles.

Desired output:

Application1 shouldn't be able to generate token for application2 , since it doesn't have access to application2.

Kapil, A (Apurva) 21 Reputation points

2021-05-18T10:49:22.153+00:00

@AmanpreetSingh-MSFT or any other MSFT AD team member has any remarks on it ?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2021-05-20T09:27:04.42+00:00
Hi @Kapil, A (Apurva) · Thank you for reaching out.

Could you please provide below information, so that I can assist you on this issue:

Application1 and Application 2 both are registered in the same tenant or not?

Is the Application2 or it's scopes are added to the API Permissions blade of Application1?

Are you using V1 or V2 endpoint for authentication?

Please share your authentication request (hiding any confidential information).
Kapil, A (Apurva) 21 Reputation points

2021-05-20T13:15:37.953+00:00
Hi @AmanpreetSingh-MSFT ,

Thanks for replying. please find the inline requested information.

Application1 and Application 2 both are registered in the same tenant or not? ---- Yes

Is the Application2 or it's scopes are added to the API Permissions blade of Application1? ---- "NO"

Are you using V1 or V2 endpoint for authentication? ------ Tried Both V1 and V2 same response, intent to use V2.

Please share your authentication request (hiding any confidential information).

curl -s -H "Content-Type: application/x-www-form-urlencoded" \
-XPOST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d "client_id=CLIENT_ID_OF_APP1
&client_secret=CLIENT_SECRET_OF_APP1
&grant_type=client_credentials&scope=APPLICATION_ID_OF_APP2/.default

Accepted answer

0 additional answers

Your answer

Kapil, A (Apurva) 21 Reputation points

2021-05-18T10:49:22.153+00:00

@AmanpreetSingh-MSFT or any other MSFT AD team member has any remarks on it ?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2021-05-20T09:27:04.42+00:00

Hi @Kapil, A (Apurva) · Thank you for reaching out.

Could you please provide below information, so that I can assist you on this issue:

Application1 and Application 2 both are registered in the same tenant or not?

Is the Application2 or it's scopes are added to the API Permissions blade of Application1?

Are you using V1 or V2 endpoint for authentication?

Please share your authentication request (hiding any confidential information).
Kapil, A (Apurva) 21 Reputation points

2021-05-20T13:15:37.953+00:00

Hi @AmanpreetSingh-MSFT ,

Thanks for replying. please find the inline requested information.

Application1 and Application 2 both are registered in the same tenant or not? ---- Yes

Is the Application2 or it's scopes are added to the API Permissions blade of Application1? ---- "NO"

Are you using V1 or V2 endpoint for authentication? ------ Tried Both V1 and V2 same response, intent to use V2.

Please share your authentication request (hiding any confidential information).

curl -s -H "Content-Type: application/x-www-form-urlencoded" \
-XPOST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d "client_id=CLIENT_ID_OF_APP1
&client_secret=CLIENT_SECRET_OF_APP1
&grant_type=client_credentials&scope=APPLICATION_ID_OF_APP2/.default

Answer 1

AmanpreetSingh-MSFT 56,866 Moderator

Hi @Kapil, A (Apurva) · Thank you for sharing required information.

As you have mentioned in your current scenario, Provider creates an application(Application2) in AAD and adds app roles. The purpose of app roles is to perform authorization, and based on app role(s) in the token, required access can be granted. E.g., In your case application2 must be configured to authorize read access if the value of Roles claim is read in the token acquired and presented by Application1 and write access if the value of roles claim is write, for instance.

You can acquire a token with scope APPLICATION_ID_OF_APP2/.default but it will include Roles claim and Application2 needs to be configured to return HTTP Forbidden or Unauthorized, if Roles claim is not present in the token. A token without roles claim should be of no use.

In order to get a token with Roles claim, the App Roles defined in the Application2, must be added as application permissions under API permissions blade of Application1 and admin consent must be granted.

Read More: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Hope that helps clarifying your doubt.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Kapil, A (Apurva) 21 Reputation points

2021-05-21T09:21:39.507+00:00

Thanks @AmanpreetSingh-MSFT for prompt response.

I understand how the app roles work in AAD Thanks for referring that, however this default behaviour a bit unexpected. If you see the roles claim added by AAD are specific to Azure AD and there are applications which might not be able to check the roles (as it's not JWT standard info but custom to AAD).
for e.g.

Application1 was able to get the token and if you decode the token you will find audience field as APPLICATION_ID_OF_APP2. Most of the Applications checks Audience field(AUD in JWT) by default. thus this token seems valid for APPLICATION2 resource.

So the point is, can we make any change in Application2's manifest file to stop application1 getting the token itself ? I assume it's a default behaviour but there should be way to customize it if provider(application2) wants to restrict tokens creation for other applications.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2021-05-21T13:38:56.687+00:00

Hi @Kapil, A (Apurva) · In this case, you can restrict token issuance by requiring user assignment in the service principal properties.

Azure AD > Enterprise Applications > App2 > Properties > User assignment required : YES

Once this is set, App1 can acquire token for App2 only when scope(s) of App2 are added to API permissions blade of App1 and admin consent is granted.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2021-05-24T13:26:59.55+00:00

Hi @Kapil, A (Apurva) · Just checking if you had a chance to test it out.
Kapil, A (Apurva) 21 Reputation points

2021-05-25T07:40:26.003+00:00

Hi @AmanpreetSingh-MSFT ,

Indeed that's what i was looking for. It worked.

Thanks for your support.

Share via

Implicitly getting access token for app1 using app2 resource in Azure active directory

0 additional answers

Your answer