Azure Question posted in
The official documentation to get you started can be found here.

Azure – Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2

I’m integrating Microsoft Entra ID with my web app using OAuth2 for a dedicated app registration specific to my tenant. Despite setting the accessTokenAcceptedVersion in the manifest to 2, I am still receiving access tokens with version 1. This issue is hindering my ability to validate and use the tokens as required.

Here’s how I’m initiating the OAuth2 authorization:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?scope=openid+profile+email&response_type=code&client_id={client-id}&redirect_uri={redirect-uri}&state={state}&code_challenge={code-challenge}&code_challenge_method=S256

After obtaining the authorization code, I exchange it for a token at the token v2 endpoint (I double-checked that). However, the access token I receive continues to be version 1 and the aud is set to 00000003-0000-0000-c000-000000000000 which seems to be Microsoft Graph. The ID token seems to be version 2.

Has anyone encountered this issue before? How can I ensure that my application receives the specified version 2 tokens? Any help or suggestions would be greatly appreciated.

Tags:

2

Answers


  1. 0

    As some mentioned in the comments, setting accepted token version only affects tokens intended for your API.
    If you get an MS Graph API token, it respects the settings that MS Graph has defined, not the ones you define.

    You need to add a scope under Expose an API page and request for that when authenticating.

    Login or Signup to reply.
  2. 0

    Initially, I modified accessTokenAcceptedVersion value to 2 in Manifest of app registration like this:

    enter image description here

    Now I generated access token with Microsoft Graph scope via Postman with below parameters:

    POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
scope:openid profile email 
code:code
redirect_uri: https://jwt.ms
code_verifier:S256

    Response:

    enter image description here

    When I decoded this token in jwt.ms website, access token has 1.0 as version with aud as 00000003-0000-0000-c000-000000000000:

    enter image description here

    As I mentioned in comments, you need to expose an API and use newly created scope like api://appID/.default to get v2.0 access token.

    In my case, I exposed an API and created new scope named test.scope as below:

    enter image description here

    To get the code value, I ran below authorization URL by replacing scope value with api://appID/test.scope:

    https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?scope=api://appID/scope_name&response_type=code&client_id={client-id}&redirect_uri={redirect-uri}&state={state}&code_challenge={code-challenge}&code_challenge_method=S256

    Now, I used this code to generate access token via Postman with scope as Exposed API value like this:

    POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
scope: api://appID/test.scope
code:code
redirect_uri: https://jwt.ms
code_verifier:S256

    Response:

    enter image description here

    When I decoded this token in jwt.ms website, access token has 2.0 as version:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search