DEVHIDE
Login Or Sign up

Refresh id_token on Azure App Service with Easy Auth by calling the /.auth/refresh endpoint

324 Views Asked by At

I have a linux Web App on Azure (fastAPI) that currently has these responsibilites

  • serves a Single Page Application (SPA)
  • is a reverse proxy for the backend

For this API, I use the built-in authentication feature "Easy Auth".

What I currently do is the following flow:

  • User requests SPA -> is redirected to the identity provider -> authenticates himself, gets the a cookie injected into his browser and is redirected to the web app through the callback URL setup in the AAD App & gets the SPA code
  • SPA then makes requests against the protected API with the injected cookie (HTTP cookie)

Because the SPA does not call the API with a auth token (bearer token), I want to exchange the cookie for an auth token on the server (API). For this, the API uses that cookie from the request to call the /.auth/me endpoint (blob storage token store) to get more information about the user, from which it can extract the id_token or the access_token.

From here, I noticed that the id_token can be used to call to another API that is protected by the same Azure AD App through EasyAuth.

However, the id_token is sometimes expired and calling the /.auth/refresh does only refresh the access_token.

Question(s):

General question: Why can the id_token be used to access the downstream API. I thought this is the job of the access_token?.

Edit: Turns out that:

The OAuth 2.0 implicit flow in Azure AD is designed to return an ID token when the resource for which the token is being requested is the same as the client application.

Actual question: Is there a way to also refresh the id_token without needing the user to re-authenticate? Similar to calling the /.auth/refresh endpoint? Or what would be the right approach? Or am I doing things completely wrong and the SPA should just get a auth token and then make requests against the API?

Simliar questions:

azure authentication azure-active-directory azure-web-app-service easy-auth
Original Q&A
1

There are 1 best solutions below

3
On

I created an Azure AD SPA Application like below:

enter image description here

For sample, I generated ID token using Implicit flow:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=id_token
&redirect_uri=https://jwt.ms
&scope=scope
&response_mode=fragment
&state=12345
&nonce=678910

enter image description here

Yes, you are right @Johannes Schmidt, when a resource for which a token is the same as the client application, the OAuth 2.0 implicit flow in Azure AD is intended to return an ID token. To generate access token, modify &response_type=token.

  • When making calls to the backend API of your application, this ID token can then be used as a bearer token.

  • In most cases, the ID token is acquired during the first authentication flow and is not meant to be refreshed separately. Re-authenticate the user in order to get a new ID token, if the ID token expires.

  • You can make use of access token instead of ID token to call the APIs as access token is used for authorization and ID token is used for authentication.

  • Make use of one Azure Ad App for each app service instead of same Azure Ad app

Reference:

oauth 2.0 - Azure AD: id_token as bearer token - Stack Overflow by Imran Arshad

Related Questions in AZURE

Related Questions in AUTHENTICATION

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in AZURE-WEB-APP-SERVICE

Related Questions in EASY-AUTH

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.