I have an Azure AD App on my tenant that is configured to accept multiple tenants AND personal accounts.
I follow the procedure to retrieve an AccessToken as explained here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
When I receive the "code" in my app from the Microsoft web page, I exchange it for an access token calling the endpoint "https://login.microsoftonline.com/common/oauth2/v2.0/token".
Here the behavior differs whether the user that logs in is a work account or a personal account.
With work accounts, I receive a normal JWT Token and everybody is happy: I can decode the token and read the claims.
With personal accounts, I receive another token, that is not a JWT Token and I don't have any clue on how to:
- validate this token
- read a few information from the user (specifically, the email of the user)
Could you please help me understand how to perform these two actions?
NOTE: I have seen the answers here: Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens but my case is slightly different, since I don't want to access MS Graph with this token, I just need to retrieve the email of the user.
Thanks!
cghersi
The
access_tokenin OAuth2 is not required to be an JWT per the OAuth specification.However Microsoft supports OpenID Connect, that provides an
id_token. Theid_tokenis always an JWT.To "upgrade" your OAuth request to an OpenID Connect request you simply have to add the scope
openid(and possiblyemailto ensure you get an email).Then when you exchange your
codeto anaccess_tokenyou also get anid_token