question

SurinderSingh-6156 avatar image
0 Votes"
SurinderSingh-6156 asked SurinderSingh-6156 commented

Id_Token does not have oid information when generating thourgh postman otherwise in our application we are getting it

I am using postman authorization 2.0 to fetch access and Id token. I am getting both id_token and accessToken using grant type authorization code in postman. There are below two issues I am facing

Problem is when I am parsing access token in jwt.io it says invalid signature.

And for id_token I am getting roles and other information but I am not getting oid(user object id) in it.

All these are working fine in my SPA(single page application). I am getting Idtoken with oid and access token has valid signature.

Postman Configuration:
195901-postmanconfiguration.jpg

AppRegistrationConfiguration:
195867-appregistrationconfig.jpg

Can you please suggest ?

Regards
Surinder


azure-ad-authentication
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SurinderSingh-6156

In order to help you, we require more information.

Share the screenshot of the configuration of your App Registration, and part of your code.

Getting that information may help you (and me) to understand the current situation.

Carlos Solís Salazar


NOTE: To answer you as quickly as possible, please mention me in your reply.


0 Votes 0 ·

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.


0 Votes 0 ·

1 Answer

ShwetaMathur avatar image
1 Vote"
ShwetaMathur answered SurinderSingh-6156 commented

Hi @SurinderSingh-6156,

Thanks for reaching out.

I understand you are not getting "oid claim" when you are retrieving the access token using postman.

As mentioned in your screenshot, only scope requested by you is openid. To get the "oid claim" in the access token, will also need to request for profile scope.

As documented here,

"Because the oid allows multiple apps to correlate principals, the profile scope is required in order to receive this claim for users."

Also, there might be chance you are passing profile scope in your application and missed the same in postman due to which you are getting different results.

Hope this will help.

Please remember to "Accept Answer" if answer helped you.

Thanks,
Shweta


· 13
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank Shweta

1 Vote 1 ·

Thanks Shweta. After adding profile scope Id_token part is working fine.

But can you please also suggest for the second part of my query regarding bearer token which is giving invalid signature on parsing it.


0 Votes 0 ·
ShwetaMathur avatar image ShwetaMathur SurinderSingh-6156 ·

@ SurinderSingh-6156,

Apologies for missing that query at first place. Did you try to parse the access token using jwt.ms?

To Verify the JWT token:

Verify that the JWT contains three segments, separated by two period ('.') characters.

Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.

Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.

To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the kid(keyId) in private key generated by Azure AD token.

If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.

Hope this will help.


0 Votes 0 ·

@ShwetaMathur

Thanks for quick reply.

I am parsing token in jwt.io. Even when I am passing that token to api call then I am getting 401 error.
Actually when I am fetching bearer token using auth 2.0 mentioned in my first attachment only then invalid signature is coming.

If I am fetching bearer token using other way in postman then I am not getting invalid signature. Other way to fetch bearer token is below
196386-accesstokenpostman.png


0 Votes 0 ·
Show more comments