Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert, MS Security Operations Analyst

Azure OpenID Connect (OIDC) and OAuth 2.0

   November 2, 2024

Azure supports OpenID Connect (OIDC) and OAuth 2.0 protocols for secure authentication and authorization for applications. OpenID Connect is an authentication layer built on top of the OAuth 2.0 protocol, allowing users to securely log in to applications. It uses JSON Web Tokens (JWT) to pass identity and authorization information between the client, the identity provider (IdP), and the resource server.

In this guide, we’ll go over the authentication process using Azure OpenID and OAuth 2.0, focusing on the steps, HTTP requests and responses, JWT token contents, and an example of using Facebook as an Identity Provider (IdP).

1. Overview of OpenID Connect and OAuth 2.0 in Azure

Key Concepts in OpenID Connect and OAuth 2.0

  1. Identity Provider (IdP): Authenticates users and issues access tokens (e.g., Azure AD or Facebook).
  2. Client/Application: The application that needs to authenticate users or access resources.
  3. Authorization Server: The server that issues tokens (Azure AD or Facebook).
  4. Resource Server: The API or application that the user or client wants to access.
  5. Tokens:
  • Access Token: Grants access to resources, issued after authentication.
  • ID Token: Used specifically for authentication in OpenID Connect, contains user identity information.

JWT (JSON Web Token)

Both ID and access tokens are JWTs, which are JSON objects signed by the IdP and include the following sections:

  • Header: Specifies the algorithm used to sign the token.
  • Payload: Contains claims (e.g., user info, expiration).
  • Signature: Verifies the integrity of the token.

2. Authentication and Authorization Flow Using OpenID Connect and OAuth 2.0

The following steps outline the Azure OpenID Connect and OAuth 2.0 flow, where Azure AD is the IdP:

Step 1: Register the Application in Azure AD

  1. Go to Azure AD:
  • Log into the Azure portal.
  • Navigate to Azure Active Directory > App registrations > New registration.
  1. Configure Redirect URI:
  • Set the Redirect URI where Azure AD will send the token after authentication (e.g., https://yourapp.com/callback).
  1. Get Client ID and Secret:
  • After registration, note the Client ID and create a Client Secret under Certificates & Secrets.
  1. API Permissions:
  • Add Microsoft Graph permissions (or other relevant permissions) to enable access to user info.

Step 2: Obtain Authorization Code (User Login)

The client application requests authorization to access resources by redirecting the user to Azure AD’s authorization endpoint with the following parameters.

HTTP GET Request to Authorization Endpoint

GET https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

Parameters:

  • client_id: The application’s Client ID.
  • response_type: Set to code to request an authorization code.
  • redirect_uri: The URI where Azure AD sends the user after authorization.
  • scope: The permissions the app is requesting (e.g., openid profile email).
  • state: An optional parameter to maintain application state.

Sample Request

GET https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id=your_client_id&
response_type=code&
redirect_uri=https://yourapp.com/callback&
scope=openid profile email&
state=12345

The user is redirected to the Azure AD login page to authenticate.

Step 3: Exchange Authorization Code for Tokens

Once the user authenticates, Azure AD redirects them to the specified redirect_uri with an authorization code. The application exchanges this code for an access token and ID token.

HTTP POST Request to Token Endpoint

POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

Parameters:

  • grant_type: authorization_code
  • client_id: The application’s Client ID.
  • client_secret: The application’s Client Secret.
  • code: The authorization code received from Azure AD.
  • redirect_uri: Must match the one used in Step 2.

Sample Request

POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
client_id=your_client_id&
client_secret=your_client_secret&
grant_type=authorization_code&
code=authorization_code_received&
redirect_uri=https://yourapp.com/callback

Sample Response

The response includes both ID Token and Access Token:

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "eyJ0eXAiOiJKV1QiLCJh...<snip>...hCWw",
  "id_token": "eyJ0eXAiOiJKV1QiLCJh...<snip>...MtUw"
}

Step 4: Decode and Use the Tokens

  1. ID Token: Contains user information like sub (user ID), name, email, exp (expiration).
  2. Access Token: Grants access to specified resources.

Example Decoded ID Token

{
  "aud": "your_client_id",
  "iss": "https://login.microsoftonline.com/{tenant-id}/v2.0",
  "iat": 1618709341,
  "exp": 1618712941,
  "name": "John Doe",
  "email": "johndoe@example.com",
  "sub": "dXNlcmlkX2luZm8=",
  "preferred_username": "johndoe"
}

Step 5: Use Access Token to Access Resource API

The application includes the access token in the Authorization header to access APIs (such as Microsoft Graph).

HTTP GET Request to Resource API

GET https://graph.microsoft.com/v1.0/me
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJh...<snip>...hCWw

3. Example: Authentication Using Facebook as an Identity Provider (IdP)

Azure AD can support third-party IdPs like Facebook for authentication using OAuth 2.0.

Step 1: Register Application with Facebook

  1. Go to Facebook for Developers:
  • Go to Facebook Developers and create a new app.
  • Set OAuth Redirect URI (e.g., https://yourapp.com/auth/facebook/callback).
  • Get the App ID and App Secret.

Step 2: Configure Facebook as an IdP in Azure AD

  1. Add Identity Provider:
  • In Azure AD B2C > Identity Providers, select Facebook.
  • Enter the App ID and App Secret.

Step 3: Redirect User to Facebook for Authentication

Redirect the user to Facebook’s authorization endpoint with required parameters.

HTTP GET Request to Facebook Authorization Endpoint

GET https://www.facebook.com/v9.0/dialog/oauth?
client_id=your_facebook_app_id&
redirect_uri=https://yourapp.com/auth/facebook/callback&
state=12345&
scope=email

Step 4: Exchange Facebook Code for Access Token

When Facebook redirects back with an authorization code, exchange it for an access token.

HTTP POST Request to Facebook Token Endpoint

POST https://graph.facebook.com/v9.0/oauth/access_token
Content-Type: application/x-www-form-urlencoded

Parameters:

  • client_id: Your Facebook App ID.
  • client_secret: Your Facebook App Secret.
  • redirect_uri: The same redirect URI as above.
  • code: The authorization code from Facebook.

Sample Response

{
  "access_token": "facebook_user_access_token",
  "token_type": "Bearer",
  "expires_in": 5184000
}

Step 5: Access Facebook User Profile with Access Token

Use the Facebook access token to get the user’s profile.

HTTP GET Request to Facebook User Profile API

GET https://graph.facebook.com/me?fields=id,name,email
Authorization: Bearer facebook_user_access_token

Sample Response

{
  "id": "1234567890",
  "name": "John Doe",
  "email": "johndoe@example.com"
}

Final Thoughts

This process shows how to implement Azure OpenID Connect and OAuth 2.0 for secure, token-based authentication, with Azure AD or Facebook as IdPs. OpenID Connect provides authentication (user login), while OAuth 2.0 authorizes resource access. This combination offers a powerful, flexible solution for SSO and authorization in multi-application environments.

Share: XFacebookPinterestLinkedin
Author: tonyhughes