I am using postman authorization 2.0 to fetch access and Id token. I am getting both id_token and accessToken using grant type authorization code in postman. There are below two issues I am facing Problem is when I am parsing access token in jwt.io it says invalid signature. And for id_token I am getting roles and other information but I am not getting oid(user object id) in it. All these are working fine in my SPA(single page application). I am getting Idtoken with oid and access token has valid signature. Postman Configuration: AppRegistrationConfiguration: Can you please suggest ? Regards Surinder

Hi @Surinder Singh , Thanks for reaching out. I understand you are not getting "oid claim" when you are retrieving the access token using postman. As mentioned in your screenshot, only scope requested by you is openid . To get the "oid claim" in the access token, will also need to request for profile scope. As documented here , "Because the oid allows multiple apps to correlate principals, the profile scope is required in order to receive this claim for users." Also, there might be chance you are passing profile scope in your application and missed the same in postman due to which you are getting different results. Hope this will help. Please remember to " Accept Answer " if answer helped you. Thanks, Shweta

Id_Token does not have oid information when generating thourgh postman otherwise in our application we are getting it

Accepted answer

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-25T04:47:06.247+00:00

Hi @Surinder Singh ,

Thanks for reaching out.

I understand you are not getting "oid claim" when you are retrieving the access token using postman.

As mentioned in your screenshot, only scope requested by you is openid. To get the "oid claim" in the access token, will also need to request for profile scope.

As documented here,

"Because the oid allows multiple apps to correlate principals, the profile scope is required in order to receive this claim for users."

Also, there might be chance you are passing profile scope in your application and missed the same in postman due to which you are getting different results.

Hope this will help.

Please remember to "Accept Answer" if answer helped you.

Thanks,
Shweta
Please sign in to rate this answer.

2 people found this answer helpful.
Surinder Singh 26 Reputation points

2022-04-25T07:56:54.677+00:00

Thanks Shweta. After adding profile scope Id_token part is working fine.

But can you please also suggest for the second part of my query regarding bearer token which is giving invalid signature on parsing it.

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-25T08:22:11.313+00:00

@ SurinderSingh-6156,

Apologies for missing that query at first place. Did you try to parse the access token using jwt.ms?

To Verify the JWT token:

Verify that the JWT contains three segments, separated by two period ('.') characters.

Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.

Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the kid(keyId) in private key generated by Azure AD token.

If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.

Hope this will help.

Surinder Singh 26 Reputation points

2022-04-25T23:27:03.193+00:00

@Shweta Mathur

Thanks for quick reply.

I am parsing token in jwt.io. Even when I am passing that token to api call then I am getting 401 error.
Actually when I am fetching bearer token using auth 2.0 mentioned in my first attachment only then invalid signature is coming.

If I am fetching bearer token using other way in postman then I am not getting invalid signature. Other way to fetch bearer token is below

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-26T17:21:04.617+00:00

As per the screeshots attached, In first screenshot you are using authorization grant code flow to get the access token and in later you are using client credentials flow to get the access token. Both the flows will provide the access token which can be verified using jwt.ms, but both have different request parameters to get the access token.

Authorization Grant Code Flow - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Client Credential Flow -https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

Could you please verify the request parameters you are passing to get access token using authorization code flow?

Thanks,
Shweta

Surinder Singh 26 Reputation points

2022-04-27T08:47:03.513+00:00

Hi Shweta,

I have verified the request parameter and found both are according to article only. What could be the reason for invalid signature while retrieving using auth 2.0 in postman. Please see below attached screenshot on parsing jwt.io and jwt.ms

jwt.io

jwt.ms

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-27T09:04:22.363+00:00

As I can see, you are able to parse the token successfully. Is above access token retrieved from v2 endpoint?
Where exactly you are getting invalid signature. Could you please confirm the exact error message as well for further troubleshooting?

Did you try the same client credential flow which is working for v1 endpoint with v2 endpoint (https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token)

You need to replace resource parameter with scope https://graph.microsoft.com/.default to get token for Microsoft Graph API.

Surinder Singh 26 Reputation points

2022-04-27T09:55:31.753+00:00

Yes above token is retrieved from v2 endpoint. I am parsing this token in jwt.io then I can see invalid signature.
I used client credential flow in v2 by replacing resource parameter with scope (https://graph.microsoft.com/.default) and retrieved token but when I parsed this still I got invalid signature.

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-27T10:42:58.88+00:00

There doesn't seem any issue with the token as you are able to parse the token successfully using jwt.ms.

Even I tried to parse the valid token using jwt.io and getting invalid signature. There seems to be issue at jwt.io to validate the signature of token generated by Azure AD.

We recommend using jwt.ms to decode the token generated by Azure AD.

Surinder Singh 26 Reputation points

2022-04-27T10:47:49.757+00:00

But when I am using this token which is retrieved using v2 to call our API then I am getting 401.
On the other hand if I am using token generated from v1 then I am not getting 401 error.

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-27T11:10:18.73+00:00

401 is for unauthorized requests. You are getting unauthorized requests because you do not have valid scopes in your access token to call API.

Are you using this access token to call Graph API?

For client credential flow, application permissions should be granted by admin rather than delegated permissions.

Surinder Singh 26 Reputation points

2022-04-27T12:38:58.657+00:00

We have some API exposed in our project. We need accessToken and Id_token in request header for authentication and authorization for the api.
AccessToken generated using v1 passing in does not get any permission error from API. But when I am passing accessToken generated using v2 then I am getting 401 errror.

Shweta Mathur 27,141 Reputation points Microsoft Employee

2022-04-30T03:08:44.097+00:00

It seems to be the audience is not valid and unauthorized you for using the token for your API.

Could you please Accept the answer to your original question and raise new thread describing this new issue.

Thanks,
Shweta

Surinder Singh 26 Reputation points

2022-05-12T10:05:09.597+00:00

Thank Shweta
Sign in to comment

Id_Token does not have oid information when generating thourgh postman otherwise in our application we are getting it

0 additional answers