Azure Active Directory Token Type | id_token | Access Token | Refresh_Token

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you're all doing well welcome back to our series of azure active directory and in this video we are going to talk about token types now the key focus of this video will be knowing what is access token what is an id token what is a refresh token how exactly you can use a refresh token to renew your access token and get a new refresh token and all this is done with the help of a simple script which i will be showing you in this particular video and that is something which i will also be sharing in our community post so let's proceed by knowing what is an access token an access token is a typical jot token which is issued to applications so that applications can access protected resources and in our case it will be mostly microsoft graph now there is one very important point which you guys must remember and that is there is no way to revoke an access token as of now now depending upon the flow that your application is using they could be different access tokens or the claims inside an access token can be different let me explain this with an example if our application is using oauth 2.0 client credential flow in this case the access token which azure 80 is issuing it will only have the claims that are related to the application but if your application is using oauth 2.0 authorization code flow wherein there is a user interaction in this case the access token that your application will get will have both the type of claims some of them will be related to users as well as applications claim now in order to showcase you guys how this part works i will be using postman now how to use postman is something which i have already covered in a lot more detail i will be sharing that link in the description if you guys want you can watch that video as well so in order to get a new access token for a particular flow what i'll do i'll click on get new access token and as of now you can see the value which has been selected as of now is client credential flow in this case the token that i will get will have the claims related to apps only so i'm going to name my token as let's say app only this is my v 2.0 endpoint of my directory and this is my client id my client secret and the scope that i'm going to mention is dot graph.microsoft.com forward slash default that's it and now i'm going to click on request token now the expected behavior is that if we will decode this particular token we should only get the claims that are related to our application and for that what i'll do is i'll go to jwt dot io and then i will paste my new token over here and as you can see this is the decrypted payload of our token and if i'll come back to my notepad and copy these values here you can see that there is no claim mentioned over here that could be related with any user because there is no user interaction what is getting mentioned over here is the application name app id and the different information or the different set of graph endpoints or graph information this application can access now let's come back to our postman console once again and this time we will use the authorization code flow so to initiate the authorization code flow all i have to do is i have to click on get new access token again and now i have to select authorization code and here i will be typing let's say app plus user because i will be getting the claims which are related to my user as well as application i'm not going to make any change when it comes to end points because these values are appropriate as well as my client id and client secret is also intact no changes in scope all i have done is i have now selected the authorization code flow so that there should be a user interaction and see this is what i'm getting as of now when i have to click on my account and now i will type in my password now the expected behavior is as soon as the authentication gets completed i will get now the access token which will have the claims which is related to my user which is entered at the concepts work dot com so i will copy this value now and i will again go back to jwt dot io and here i will decrypt this token and now i'm going to copy this value and i'll again come back to my notepad and we'll compare both the tokens okay so as you can see that most of the information that is moreover related to my user is getting mentioned over here which is not the case with the token which we have received initially okay and the permissions tab that you see here is more over the permission that i have manually granted to this application from the api permission section whereas here what i'm getting is the different scopes that are requested so depending upon the flow that you are using the access token that you will get and the claims inside that token that you will get will be different so now if we talk about the typical three components which exist in a jot token they are header payload and the certificate verification section and it's the payload section that will have the details related to all the claims it can be applications it can be application and user both so this is how the entire access token operates or the set of information which you must know now let's proceed by knowing what is an id token an id token is also a jot token but it is issued for the verification of user identity that means what the id token cannot be used by an application to access protected resource which is the case with the access token right the id token will only be used for the verification of user identity and id token is different from access token and to show you guys that what i'll do is i'll again switch to my postman console and i'm going to use a particular value in the scope section so that now i should also get an id token as well as an access token so in the scope if you have mentioned open id and then if you will click on request token you will also get an id token as well as an access token so as you can see now i'm also getting an id token now the moment i will copy this value and now if i go to jwt dot io and i will decrypt this token you can see all the users claims are getting mentioned as well as all the customization that you do from claims mapping policy is going to impact the id token which is getting issued to a particular user so now we have covered access token and id token let's talk about how the refresh token works so if we talk about a typical authentication flow wherein a user interaction is required likewise authorization code flow or open id connect authentication flow user will navigate to application.comapplication.com will redirect the user to azure id wherein the user will be prompted for a consent once that consent is approved an access token is given back to the application provided you are using oauth 2.0 authorization code flow now what needs to be done to request a refresh token the first request which your application is sending to the authorized endpoint of your azure ad that must contain a value in the scope which is called offline access the moment this value will be present in the first request in this case azure ad will issue an access token as well as refresh token now your application can request or can use this refresh token to get a new access token and a new refresh token now the concept behind this is that we fairly know that access token will always be used to access protected api but every token has a time to get expired or it has an expiry time now it is something that you have to define on your application that means this is a logic that you have to define on your application site that once your access token is about to expire you can use the current refresh token to get a new access token and a new refresh token now in order to show you guys how exactly this work i will be using postman as well as the custom script that i was talking about but make sure the construction of the request that you are doing in order to get a new access token add a new refresh token should look something like this and the end point that you have to use in this case will be the token endpoint not the authorizing point so now what i'm going to do is i'm going to switch to postman where i will add a particular value with which we will also get an refresh token and that is offline underscore access now if i click on request token i will get an access token an id token as well as a refresh token so this was my access token this is my id token and this is my refresh token i will copy this value because this is something which i will be using to request a new access token and a new refresh token so before i go ahead and show you guys how exactly the script operates let me just tell you guys what exactly this script is going to do firstly it will ask my tenant name and then it will query the respective endpoints which can be used to process a particular request and this is the same section which i have shown you guys in the deck if you will pay close attention refresh token is something which i'm going to manually enter so that it can be used to get a new access token and a new refresh token now i'll come back to my powershell and now i'm just going to initiate my script it is going to ask my tenant name which will be concepts work dot com and then i'm going to enter the refresh token which i have just copied from postman and the moment i will press enter you see both the endpoints were queried and i have now a new access token and a new refresh token with the help of my current refresh token now there's one more thing which i would like to address here and that is the refresh token are something which can be revoked and which was not the case with the access token so this was all about knowing how the id token refresh token and as well as access token works if you want to know more and if you want to really learn how exactly every components of azure 80 works when it comes to advanced troubleshooting do join our channel and get access to our new playlist which is azure 80 advanced trouble shooting so let's talk about a quick summary of what all we have discussed in this video we have discussed about all the three token types and i will be sharing a script in the community post which you can use to renew or to get new access token or refresh token if you guys have learned something new please feel free to subscribe thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 21,091
Rating: undefined out of 5
Keywords:
Id: FTULjLL-ZDI
Channel Id: undefined
Length: 12min 36sec (756 seconds)
Published: Sat May 23 2020
Related Videos
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1.1M
JWT AUTHENTICATION In ASP NET Core with Azure AD | Getting Started With ASP.NET Core Series
Rahul Nath
20K
Take your apps to the next level with provisioning from Azure Active Directory
Microsoft Azure
7.6K
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
Adam Marczak - Azure for Everyone
296K
Azure AD Understanding Tokens
John Savill's Technical Training
58K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Secure a .NET Core API with Bearer Authentication
Les Jackson
124K
An Illustrated Guide to OAuth and OpenID Connect
OktaDev
199K
Authentication fundamentals: The basics | Azure Active Directory
Microsoft Azure
95K
OAuth 2.0: An Overview
InterSystems Learning Services
842K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Managed Identities with Azure AD (Active Directory) Tutorial
Adam Marczak - Azure for Everyone
57K
Custom Claims in Azure Active Directory | Claims Mapping Policy
Concepts Work
9K
Openid Connect Authentication flow | Fiddler Trace
Concepts Work
3.2K
What Is JWT and Why Should You Use JWT
Web Dev Simplified
506K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.