OAuth with Azure AD v2.0: Missing at_hash claim in Azure AD v2.0 id_token -
according azure ad documentation, azure ad v2.0 id token should contain access token hash, at_hash
claim, when id token issued access token.
however appears at_hash
claim missing id token. after calling azure ad access token request v2.0 endpoint https://login.microsoftonline.com/{my_tenant}/oauth2/v2.0/token
, id_token returned azure not contain at_hash
claim although access token issued.
example of response body returned azure ad v2.0:
"token_type": "bearer", "scope": "user.read", "expires_in": 3599, "ext_expires_in": 0, "access_token": "eyj0exaio ...", "refresh_token": "oaqabaaaaaaa9ktklh ..." "id_token": "eyj0exaioijkv1qilc ..."
the id_token contained following claims. did not contain at_hash
claim.
"aud": "... guid ... ", "iss": "https://login.microsoftonline.com/.../v2.0", "iat": 1502324474, "nbf": 1502324474, "exp": 1502328374, "aio": "atqa ... 7liw+hb", "name": "... name ... ", "nonce": "... guid ...", "oid": "... guid ...", "preferred_username": "... preferred name ...", "sub": "kiulx ... ifcazuui3b", "tid": "... guid ...", "ver": "2.0"
based on request above, using the authorization code flow. seems claim not issued flow. claim issued when requesting using implicit flow request below:
post: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? response_type=token+id_token &client_id={client_id} &redirect_uri={redirect_uri} &scope=openid+mail.read &state=123 &nonce=456
Comments
Post a Comment