id_token is malformed when calling refresh token

1
votes

As part of our Azure API Management set up we are using oAuth 2.0 combined with Active Directory.

we are using the id_token (JWT) to authenticate, which is working well.

we can request an id_token via the redirect url (microsoft login) and this token can be used to call our API successfully (validated again our API policy).

The problem occurs when we want to refresh the token.

We follow this process: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#refreshing-the-access-tokens

Refresh Token Request

As you can see, i get an id_token back (because the scope openid is passed) but the problem is, the id_token is malformed.

Instead of making up of 3 parts e.g. AAAA.BBBB.CCCC

The id_token returned, only has 2 parts (missing the signature) e.g. AAAA.BBBB.

when using this id_token to authenticate, it obviously fails :(

1
azureoauth-2.0azure-api-management

1 Answers

2
votes

I'm not sure why the id_token only has two parts but isn't it the access token that you should be sending to authorize requests? Perhaps the id_token was working earlier because it was signed by the proper authorization server but should have been the access token all along? It's the access token that's supposed to be refreshed after all.

I assume you sent "offline_access" as one of your scopes when you originally got your valid id_token, access_token, and refresh_token or you shouldn't have received an refresh_token. https://www.rfc-editor.org/rfc/rfc6749#section-6 says that if you provide a scope on the refresh request, your access token shouldn't be limited to the scope(s) provided in the refresh request. The openid connect spec (http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse) says that a refresh request is like the token request except it "might not contain an id_token". It seems to me that all bets are off when it comes to expecting the id_token in the refresh response unless it's an implementation-specific feature in Azure.

Update From https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code#refresh-the-access-token

"id_token--An unsigned JSON Web Token (JWT). The app can base64Url decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens see the v2.0 endpoint token reference."

Notice it's unsigned. That's your missing third part of the jwt.