Is it possible to only get an id_token from AAD? I have a really simple situation where my angular app needs to have the username of the user, and my api layer is wide open.
I thought I could set my clientid and resource to the clientId of my angular app in AAD but I'm getting a :
"AADSTS65005 Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client application registration"
This is in the implicit grant flow.
---EDIT
For example if i send this initial redirect to initiate the implicit grant:
https://login.microsoftonline.com/{{MY-TENANT-HERE}}/oauth2/authorize?response_type={{id_token}}&client_id={{CLIENTID-HERE}}&state={{STATE-HERE}}&redirect_uri={{REDIRECTURI-HERE}}&scope={{openid profile email}}&nonce={{nonce-here}}&resource={{CLIENTID-HERE}}
produces this:
"AADSTS65005 Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client application registration"
If I don't send a resource (IE the following request):
https://login.microsoftonline.com/{{MY-TENANT-HERE}}/oauth2/authorize?response_type={{id_token}}&client_id={{CLIENTID-HERE}}&state={{STATE-HERE}}&redirect_uri={{REDIRECTURI-HERE}}&scope{{openid profile email}}&nonce={{nonce-here}}
I get a message that says resource is required. So my question is, say I have no backend, but my front end needs to know who the user is, how is that supported in AAD?
response_type=id_token
, which will work since you have implicit grant enabled. I guess you are trying to get it with e.g. ADAL.JS's getAccessToken function? – juunas