Remove From My Forums

Refreshing id token when using easy authentication

Question
0

Sign in to vote

We have a web application that authenticates users using Azure AD with the "easy" authentication support built in to Azure app services. This application communicates with a backend service and passes through the user's id token to authorize with that backend service. The backend service is an Azure Cloud Service and performs authorization by validating the JWT in the HTTP Authorization header. The problem we're having is that when a user's access token expires, we can successfully refresh it in the app service (after following the instructions from https://cgillum.tech/2016/03/07/app-service-token-store/), but the id token is not refreshed and still has an old expiry date. This means that our backend service will say the user is unauthorized because their id token is expired. We can't use the access token for authorization because that is an opaque string and we want to be able to authorize users without having to make a call to Azure AD.

Is it possible to get an updated id token after the access token is refreshed? Or can the refresh functionality be updated to also update the id token? Or alternatively, is it possible to obtain an access token that is a JWT and includes the user's claims instead of the opaque access token?

Monday, March 6, 2017 5:17 PM

Answers

0

Sign in to vote
Azure AD doesn't return a new id_token when it process a token refresh request.

It is possible to get an access_token with the user claims if you configure your app to have access to another service, like the Graph API (I can't explain why the shape of the token is different in this case, it's just what I've observed). Take a look at the following blog post for an example of fetching access tokens that can be used against the AAD Graph API. These access tokens should have the claims you're looking for:

https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/
- Proposed as answer by Chris Gillum (MSFT) Wednesday, March 8, 2017 12:36 AM
- Marked as answer by Adam Reeve Friday, March 10, 2017 2:03 PM
Wednesday, March 8, 2017 12:36 AM

All replies

0

Sign in to vote
Azure AD doesn't return a new id_token when it process a token refresh request.

It is possible to get an access_token with the user claims if you configure your app to have access to another service, like the Graph API (I can't explain why the shape of the token is different in this case, it's just what I've observed). Take a look at the following blog post for an example of fetching access tokens that can be used against the AAD Graph API. These access tokens should have the claims you're looking for:

https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/
- Proposed as answer by Chris Gillum (MSFT) Wednesday, March 8, 2017 12:36 AM
- Marked as answer by Adam Reeve Friday, March 10, 2017 2:03 PM
Wednesday, March 8, 2017 12:36 AM
0

Sign in to vote

Thanks Chris, we do get an access token that is a JWT with that change, but it doesn't have the group membership claims that we want to use for authorization. We had to edit the app registration manifest and specify "groupMembershipClaims": "All" for these to be present in the id token. We wanted to avoid having to call the graph API to get the user's groups but I guess we might need to do that.

Wednesday, March 8, 2017 8:58 AM
0

Sign in to vote

Right, these claims won't be present in the access_token. So it seems your options are to either make calls to the Azure AD Graph API or to have the customer periodically reauthenticate to get a new id_token.

Wednesday, March 8, 2017 9:23 PM
0

Sign in to vote

Ok thanks Chris, I think we'll go with getting users to reauthenticate after an hour as we don't think that will be a big problem for them.

Friday, March 10, 2017 2:03 PM

Answered by:

Refreshing id token when using easy authentication

Question

Answers

All replies