microsoft-authentication-library-for-dotnet: Wrong version of access token (got Azure AD V1 instead of V2)

Hello,

Using the MSAL.NET library, I successfully retrieved an access token (from an ASP.NET Core 2.1 website). When I copy/paste it in the https://jwt.ms/ website, it indicates that “This is an Azure AD V1 token.”.

Here are the URLs I used:

"Authority": "https://login.microsoftonline.com/[TENANT-ID]/v2.0/",
"Instance": "https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize",

I’m using the Microsoft.Identity.Client 1.1.4-preview0002.

Here is the code that gets the access token:

public async Task<string> GetAccessTokenAsync(IEnumerable<string> scopes)
        {
            var userCache = new FileTokenCache(
                this._protector, this._httpContextAccessor.HttpContext.User);
            
            HttpRequest request = this._httpContextAccessor.HttpContext.Request;
            string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);

            ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(
                this._azureAdSettings.Value.ClientId,
                this._azureAdSettings.Value.Authority,
                currentUri,
                new ClientCredential(this._azureAdSettings.Value.ClientSecret),
                userCache.ToTokenCache(),
                new TokenCache());

            AuthenticationResult authResult = await daemonClient.AcquireTokenSilentAsync(
                scopes,
                daemonClient.Users.First());

            if (authResult != null)
            {
                return authResult.AccessToken;
            }

            return null;
        }

Why do I get a V1 token instead of the V2 version?

Thanks, Adrien.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 2
Comments: 34 (15 by maintainers)

Most upvoted comments

@ibigbug : the kind of token you’ll get does not depend on the endpoint, but depends on what the Web API you call is capable of supporting. See the accessTokenAcceptedVersion property of the App manifest (the Web API app manifest)

jmprieur on Jan 5, 2019

@jmprieur changed my Web API App Registration manifest to accessTokenAcceptedVersion = 2, still getting v1 accessToken …

ibigbug on Jan 7, 2019

yes @ibigbug, your v2.0 Web API can use MSAL.NET AcquireTokenOnBehalfOfAsync to Acquire, from the v2.0 token it received, a (v1.0) token for VSTS. This is because Azure AD knows that VSTS accepts only v1.0 tokens, and therefore will provide to MSAL.NET a v1.0 token so that your API can call VSTS.

jmprieur on Jan 7, 2019