Azure AD ADAL Implicit flow clarification

1
votes

Wonder if someone can clarify this for me
I'm using ADAL js to log in an angular7 application via the implicit flow. This works by sending the response_type=id_token What happens with this response type is that the Authorization endpoint is hit and I should get back an ID token ID_TOKEN

However I appear to be getting a bearer token back, Azure microsoft login redirects me to http://localhost:4200/#access_token=xxxxxxxx&token_type=Bearer

What I was expecting was this token returned would be an ID Token not a bearer token, it does behave correctly like a Bearer token when I call the back end APIs.

ADAL.js doesn't appear to let me request "id_token token", which is the following: ID_TOKEN TOKEN

I'm sorry I started reading the spec as it's confused my understanding of an application that's working, but i'd certainly appreciate if someone could shed a little light on what azure actually does with it's implicit flow, it only mentions id_token in the docs and make no reference to 'id_token token' response type

if anything, Azure AD appears to be more inline with reponse_type=token Token

tnx in advance, Brian

1
oauth-2.0azure-active-directoryopenid-connect
Does your request include the parameter scope=openid ? .. you already mention that you are sending the response_type=id_token so that looks fine. I am referring to these two links from Microsoft Docs.. docs.microsoft.com/en-us/azure/active-directory/develop/… and docs.microsoft.com/en-us/azure/active-directory/develop/… .. they do mention that id_token can be obtained when using OpenId Connect.Rohit Saigal
fantastic i didn't stumble across that info.. The ADAL JS is used for Azure AD 1.0 which uses resource, not scope to identify the secured resource that the access token can be used to access. . I can change to Azure AD 2.0 endpoint and use MSAL JS instead. And in the v2.0 endpoint, it uses scope to support the dynamic permission request. thanks ever so much for correct answer!brianbruff
thanks again @RohitSaigal the Msal library did the trick for me: Extract of Http response from authorization endpoint token_type=Bearer&id_token=eyJhbGciO....................brianbruff
you're very welcome! I'm glad to hear that your issue got resolved. I've added the information from our comments with a little more explanation in an answer.Rohit Saigal

1 Answers

2
votes

Azure AD V2.0 Endpoint

Microsoft Docs: v2.0 Protocols - SPAs using the implicit flow

It clearly mentions that for OpenId Connect,

  • request must include response_type=id_token (which you're already sending)
  • scope=openid which was probably missing and got resolved after implementing the flow using MSAL library (as described by @brianbruff in comments).
  • Also, Allow Implicit Flow should be enabled for App registration.

enter image description here enter image description here enter image description here

Sample request from docs

// Line breaks for legibility only

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910

Azure AD V1.0 Endpoint

Microsoft Docs: Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)

Even here, documentation clearly says that id_token can be obtained when using OpenID Connect.

enter image description here

I must say though, that I am not completely sure on recommended/correct implementation to get id_token in case of implicit grant flow with v1.0 yet. (At least @brianbruff is able to use v2.0 and resolve his problem.)

I see that another Microsoft Docs link for OpenID connect with v1.0 (but not Implicit grant flow) mentions the usage of scope=openid. Although, right at the bottom of this page I see open issues where users contradict the documentation in some way and have given feedback specifically for Implicit Grant flow.

enter image description here

Issue 17140

Issue 19382