The built in authentication feature of App Service aka EasyAuth, implements the following Azure Active Directory Flows :
The EasyAuth module of App Service uses Implicit Flow when Client Secret isn't set at the App Service Level. It is to be noted that the App Service returns only id token, when it uses this type of flow.
In order to get an access_token, the client secret must be set and the EasyAuth module now uses “Hybrid Flow”.
When EasyAuth is setup using Express method, the client secret is created automatically.
The following steps can be performed to generate a new client secret:
Once we save the settings and browse to the .auth/me endpoint of the App Service, we get the tokens
(Note : Changes will be reflected only if the user logs in to App Service again. We can use the /.auth/login/aad endpoint to reauthenticate the user )
Notice that the access token is not in the form of a JWT token. This is because the Hybrid flow configuration did not include a resource.
The value of the access token is actually an "authentication code" and when the resource is set, the EasyAuth module exchanges this “authentication code” at the /token endpoint of the Azure Active Directory, to get an access token.
In order to directly get an access token, we need to set the resource using the Azure Resource Explorer.
Upon browsing to the App Service, after making the above change, we see that the value for the access token is in the form of a JWT token.
We could use https://jwt.ms to decode the access token and view the claims.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.