Azure AD returns Unsigned Id Token while requesting renewal using refresh token

0
votes

I am using Azure AD v1 endpoint to authorize my webapp.

On initial authentication , I am not getting access_token to be a valid jwt token. However i am getting id_token to be valid jwt and the acces_token to be value of refresh_token which appears strange.

enter image description here

I can call my Web API using id_token as bearer token. All good.

Now when id_token is expired , i am using my refresh_token to send following refresh token request .I am getting unsigned id_token as response. Since the new id_token is unsigned , using this id_token i am not able to access Web API. Am i missing something?

POST /token HTTP/1.1
Host: {authority}
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
client_id=mvc&
client_secret=secret&
refresh_token=AQABAAAAAADX8GCi6J
&scope=openid%20profile%20offline_access

I am using following startup configuration to set up authentication 

services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromSeconds(1000);
                options.Cookie.Name = "mvcapplication";
            })
            .AddOpenIdConnect(option=>{
        options.Authority = "{aad v1 endpoint}";
                options.ClientId = "mvc";
                options.ClientSecret = "secret";
                options.ResponseType = "code id_token";
                options.ResponseMode = "form_post";
                options.SignInScheme = "Cookies";
                options.CallbackPath = "/Home/Index/";
                options.RequireHttpsMetadata = false;
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;

                //Default Scopes
                options.Scope.Add("openid");
                options.Scope.Add("profile");
                options.Scope.Add("offline_access");
         });
1
azure-active-directoryopenid-connectrefresh-tokenazure-ad-b2b
Well, you should be using an access token to call an API :) - juunas
@juunas getting valid access_token when commenting GetClaimsFromUserInfoEndpoint property - NewtonCode
You answered your own question just now :) JWT Bearer options audience should be client id of the API. If you set it to be the client id of the Web App, it will only accept id tokens given to the Web App, and you share the app identity essentially. - juunas
When you configure the Audience/ValidAudience/ValidAudiences in the API's JWT options, that configures validation that checks that the aud claim in the token matches what is configured. If it does not, you get a 401. - juunas
@juunas perfect...i understand my mistake now..thanx a lot!! - NewtonCode

1 Answers

1
votes

To sum up the discussion in the comments:

  • Use the client id/application id or Application ID URI of the API as the resource when acquiring access tokens
  • Configure the API to accept one or both of the above as valid audience
  • Removing GetClaimsFromUserInfoEndpoint gave a valid access token

You can check more information on setting up Azure AD authentication in ASP.NET Core MVC (2.0) app here: https://joonasw.net/view/aspnet-core-2-azure-ad-authentication.

You can also find a sample app here: https://github.com/juunas11/aspnetcore2aadauth