microsoft-authentication-library-for-dotnet: Wrong version of access token (got Azure AD V1 instead of V2)
Hello,
Using the MSAL.NET library, I successfully retrieved an access token (from an ASP.NET Core 2.1 website). When I copy/paste it in the https://jwt.ms/ website, it indicates that “This is an Azure AD V1 token.”.
Here are the URLs I used:
"Authority": "https://login.microsoftonline.com/[TENANT-ID]/v2.0/",
"Instance": "https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize",
I’m using the Microsoft.Identity.Client 1.1.4-preview0002.
Here is the code that gets the access token:
public async Task<string> GetAccessTokenAsync(IEnumerable<string> scopes)
{
var userCache = new FileTokenCache(
this._protector, this._httpContextAccessor.HttpContext.User);
HttpRequest request = this._httpContextAccessor.HttpContext.Request;
string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(
this._azureAdSettings.Value.ClientId,
this._azureAdSettings.Value.Authority,
currentUri,
new ClientCredential(this._azureAdSettings.Value.ClientSecret),
userCache.ToTokenCache(),
new TokenCache());
AuthenticationResult authResult = await daemonClient.AcquireTokenSilentAsync(
scopes,
daemonClient.Users.First());
if (authResult != null)
{
return authResult.AccessToken;
}
return null;
}
Why do I get a V1 token instead of the V2 version?
Thanks, Adrien.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 34 (15 by maintainers)
@ibigbug : the kind of token you’ll get does not depend on the endpoint, but depends on what the Web API you call is capable of supporting. See the accessTokenAcceptedVersion property of the App manifest (the Web API app manifest)
@jmprieur changed my Web API App Registration manifest to accessTokenAcceptedVersion = 2, still getting v1 accessToken …
yes @ibigbug, your v2.0 Web API can use MSAL.NET AcquireTokenOnBehalfOfAsync to Acquire, from the v2.0 token it received, a (v1.0) token for VSTS. This is because Azure AD knows that VSTS accepts only v1.0 tokens, and therefore will provide to MSAL.NET a v1.0 token so that your API can call VSTS.