Understanding Azure Authorize/Token endpoints workflow with Postman

Surya Prakash Pandey
4 min readNov 4, 2020

--

Recently I had chance to configure IBM Websphere with Azure AD as authentication server using OpenID Connect protocol, while doing the configuration I have noticed that for Microsoft Graph APIs the access token is always V1.0 even on using OAuth 2.0 authorization and token endpoints. Additionally these tokens are also signed in a different way which throws “Invalid Signature” for JWT validation.

Here I am going to present my detailed analysis on these different version endpoints and other Azure App registration configurations to make access_token verifiable for your application.

So I am going to use postman to perform API calls exposed by Azure to retrieve and authorize access_token and id_token.

Postman configuration for Access Token

As per above screenshot, we need to set the type to Oauth 2.0 and click on “Get New Access Token”.

Now this form will pop up, where you need to fill details from Azure AD app registration. Most of the steps are straight-forward and are documented quite well here:

From above steps you will able to get Client ID, Client Secret and register your above mentioned Callback URL as Redirect URI in Azure application.

Now if you click on the endpoints as shown in above screenshot, you will get your OAuth 2.0 token endpoint (v2) which is Access Token URL and OAuth 2.0 authorization endpoint (v2) which is Auth URL.

You can mention any random string for state and for scope lets keep it openid for now, since it has got all the role play over here.

Now if you click on the “Request Token”, you will be redirected to Microsoft login page if you have selected “Authorize using browser”. After successful login you will get the access token something like this,

Now let’s check this JWT access token through https://jwt.io/, you with notice few thing over here, JWT header has this key “nonce”,

{ 
"typ": "JWT",
"nonce": "aQRLQRH5A9BUsQgawFGmFl0PigrD1hbVpGQfaZP_8",
"alg": "RS256",
"x5t": "ie_qWCXhXxt1zIEsu4c7acQVGn4",
"kid": "ie_qWCXhXxt1zIEsu4c7acQVGn4"
}

which looks having issue in token validation, here are some Github issues, Cannot validate signature and Cannot validate access_token.

And the next thing you will see is,

{ 
...
"iss": "https://sts.windows.net/<your-tenant-id>/",
...
"ver": "1.0",
...
}

Now although you are using all V2.0 endpoints but Azure AD is returning you an access_token of V1.0 with this issuer value, which will cause JWT validation failed because of issuer mismatch.

How to Solve this,

Now instead to using token from Microsoft Graph API we need to “Expose an API” which will be ours to get the access token,

As shown in above screen shot we need to add a scope, you can name it anything. We need to change consent to Admin and users, fill the other mandatory field just for information and save it. Now coming back to “Get New Access Token” popup from postman we need to add the above mentioned scope here,

Now if you click on “Request Token”, you will only get the access_token of V2.0 if while registering the application you have selected the option as shown in below screenshot,

Now if you have kept the default value checked, don’t worry you have an option to update the manifest file and change this configuration.

Here, first we need to download the manifest file update these two values,

{ 
...
"accessTokenAcceptedVersion": 2,
...
"signInAudience": "AzureADandPersonalMicrosoftAccount",
...
}

Now if you click on “Request token” from postman popup window you will see the access token will have proper version and issuer values set.

{ 
...
"iss": "https://login.microsoftonline.com/<your-tenant-id>/v2.0",
...
"ver": "2.0"
...
}

Adding Optional Claims in access_token,

If you need email, family_name, given_name or others details in your JWT access_token, you can simply add optional claim for access_token and turn on the Microsoft Graph email, profile permission.

Now your access token will have all this information,

{ 
...
"email": "AlexW@onmicrosoft.com",
"family_name": "Wilber",
"given_name": "Alex",
...
}

That’s all for Azure OIDC configuration with postman. I hope everyone finds it helpful. Thanks for reading !!

--

--

Surya Prakash Pandey
Surya Prakash Pandey

Written by Surya Prakash Pandey

A problem solver, who sometimes blogs about how problem was solved.

Responses (1)