Home > Blockchain >  oauth token does not contain information about roles or scope
oauth token does not contain information about roles or scope

Time:12-29

I have created app registration in AD, created client secret and exposed the API. I have created App Role and added permissions (additional permissions to the default graph user read). I also have added a scope.

When I do the request

curl --location --request POST 'https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<application id>' \
--data-urlencode 'client_secret=<secret>' \
--data-urlencode 'scope=api://<application id>/.default' \
--data-urlencode 'grant_type=client_credentials'

I get the response containing access_token. However when I decode the token it does not contain any roles, scopes or anything

{
"aud": "api://<application id>",
"iss": "https://sts.windows.net/<tenant id>/",
"iat": 1672241639,
"nbf": 1672241639,
"exp": 1672245539,
"aio": "<>",
"appid": "<application id>",
"appidacr": "1",
"idp": "https://sts.windows.net/<tenant id>/",
"oid": "<>",
"rh": "<>.",
"sub": "<>",
"tid": "<tenant id>",
"uti": "<>",
"ver": "1.0"
}

What is missing?

/oauth2/token returns similar response

{
    "aud": "<resource id>",
    "iss": "https://sts.windows.net/<tenant id>/",
    "iat": 1672241960,
    "nbf": 1672241960,
    "exp": 1672245860,
    "aio": "<>",
    "appid": "<application id>",
    "appidacr": "1",
    "idp": "https://sts.windows.net/<tenant id>/",
    "oid": "<>",
    "rh": "<>",
    "sub": "<>",
    "tenant_region_scope": "EU",
    "tid": "<tenant id>",
    "uti": "<>",
    "ver": "1.0",
    "xms_tdbr": "EU"
}

CodePudding user response:

I tried to reproduce the same in my environment via Postman and got below results:

I registered one Azure AD application and created App role named READER.ALL like below:

enter image description here

Now I exposed one API named ReaderScope.ALL same as you like below:

enter image description here

Now I generated the token using Client credentials flow via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id: <appID>
client_secret: <secret>
scope: api://<appID>/.default
grant_type:client_credentials

Response:

enter image description here

When I decoded the token, I did not find roles claim same as you like below:

enter image description here

To get roles claim in the token, you need to add API permission like below:

enter image description here

Now, select Application permissions and add the App role like below:

enter image description here

Make sure to grant admin consent to the added permission like below:

enter image description here

When I generated the token again now and decoded it, I got roles claim successfully like below:

enter image description here

You will get only Application permissions in roles claim while using client credentials flow.

To get Delegated permissions in scp claim, you need to use interactive flows like authorization code flow etc.

  • Related