How to Get an Azure V2 Access Token Saved in the Users Identity Profile in Auth0

Knowledge Solutions
,
1

Overview

Some customers may want to retrieve the Azure AD V2 IdP Access tokens (not Auth0 access tokens) from the users’ profiles in Auth0. This is not supported in the:

  • Azure AD Enterprise Connection - This is because the Microsoft Graph API scopes are hardcoded. The Graph API will only return V1 tokens. In testing, this still appears to be the case.
  • OIDC Enterprise Connection - This will not store the IdP token within the identity array of the user profile

Applies To

  • Azure AD V2 IdP Access Tokens

Solution

The Social OIDC connection type is the solution here.

General settings guidance for the connection:

  • Authorization URL: Sign in to your account
  • Token URL: Sign in to your account
  • Scope: openid profile email {Application scope that forces V2 type tokens, please see the screenshot here for what the setup should look like. For more information refer to the How to get access token version 2.0.
  • Separate scopes using space: true
  • Client ID: [APP-ID]
  • Client Secret: {Secret generated in Azure dashboard under the application in Manage → Certificates and Secrets}
  • Fetch User Profile Script examples below:

No JWKS verification:

function(accessToken, context, callback) {
const jwt = require(‘jsonwebtoken’);
var idToken = jwt.decode(context.id_token);
const profile = {
user_id: idToken.oid,
email: idToken.email,
name: idToken.name
};
callback(null, profile);
}

With JWT verification with JWKS endpoint:

function(accessToken, context, callback) {
const jwt = require(‘jsonwebtoken’);
var jwksClient = require(‘jwks-rsa’);
var client = jwksClient({
timeout: 5000,
jwksUri: ‘https://login.microsoftonline.com/[APP-ID]/discovery/v2.0/keys
});
function getKey(header, callback){
client.getSigningKey(header.kid, function(err, key) {
var signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}
jwt.verify(context.id_token, getKey, , function(err, idToken) {
if (err) {
return callback(new Error(err));
}
console.log(“JWT verified!”);
const profile = {
user_id: idToken.oid,
email: idToken.email,
name: idToken.name
};
callback(null, profile);
});
}

NOTE: In the above code, the JWKS endpoint will get called every login attempt through that connection. Please ensure that the JWKS endpoint used is setup for this kind of traffic.

Related References