Add support for opaque AAD access tokens #107845
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Consider the following set of scopes:
'profile', 'openid', 'offline_access', '9bd5ab7f-4031-4045-ace9-6bebbad202f6/all'
where return JSON looks somewhat like this:
https://gist.github.com/olegoid/7fec1889e98844686f84ae903a2e8d50
access_token
claim parsing fails withUnable to read token claims
error. For some resource scopes, AAD can issue so-called "opaque" tokens that are not supposed to be parsed. In that situation, we can rely onid_tokens
to fetch supplemental information such as user name, etc.Here's the document that describes that scenario:
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
You can also try to manually validate the
access_token
from my JSON and it will turn out as gibberish. Although, theid_token
is a totally valid JWT.