OAuth with Azure AD v2.0: Missing at_hash claim in Azure AD v2.0 id_token -


according azure ad documentation, azure ad v2.0 id token should contain access token hash, at_hashclaim, when id token issued access token.

however appears at_hash claim missing id token. after calling azure ad access token request v2.0 endpoint https://login.microsoftonline.com/{my_tenant}/oauth2/v2.0/token, id_token returned azure not contain at_hash claim although access token issued.

example of response body returned azure ad v2.0:

  "token_type": "bearer",   "scope": "user.read",   "expires_in": 3599,   "ext_expires_in": 0,   "access_token": "eyj0exaio ...",   "refresh_token": "oaqabaaaaaaa9ktklh ..."   "id_token": "eyj0exaioijkv1qilc ..." 

the id_token contained following claims. did not contain at_hash claim.

  "aud": "... guid ... ",   "iss": "https://login.microsoftonline.com/.../v2.0",   "iat": 1502324474,   "nbf": 1502324474,   "exp": 1502328374,   "aio": "atqa ... 7liw+hb",   "name": "... name ... ",   "nonce": "... guid ...",   "oid": "... guid ...",   "preferred_username": "... preferred name ...",   "sub": "kiulx ... ifcazuui3b",   "tid": "... guid ...",   "ver": "2.0" 

based on request above, using the authorization code flow. seems claim not issued flow. claim issued when requesting using implicit flow request below:

post: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? response_type=token+id_token &client_id={client_id} &redirect_uri={redirect_uri} &scope=openid+mail.read &state=123 &nonce=456 

Comments

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

python Tkinter Capturing keyboard events save as one single string -

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -