Build Implicit Flow with Azure AD v1

Q

How to implement the OpenID Implicit Flow with Azure AD v1.0 service?

✍: FYIcenter.com

A

If you want to implement the OpenID Implicit Flow in your Web application to use Azure AD service, you should follow these steps:

1. Building the Azure AD v1.0 Sign-on authentication request:

Register your Web application to the Azure Active Directory where your end users have login credentials. For example, your company's Active Directory hosted in Azure.
Add the URL where your server script is located to the above registration as a "Reply URL". This URL will be used as the "redirect_uri" in the authentication request.
Take the "Application ID" from above registration and use it as the "client_id" in the authentication request.
Set "scope=openid", "response_type=id_token", and "response_mode=form_post" in the authentication request.
Set "nonce" to a random number and cache it in your application. So you can use it to validate the response later.
Set "state" to the current session id of your application, So you can resume the session after the response is validated.

2. Triggering the end user browser to fire the authentication request to https://login.microsoftonline.com/common/oauth2/authorize.

Create a login page, login.html, to display a login button.
When the button is click, call a server side script, login.php.
Create the server side script, login.php, to return a direct HTTP response with the location of https://login.microsoftonline.com/common/oauth2/authorize?... containing all request parameters in the URL as the query string.

3. Letting the end user sign on to the Active Directory - This is controlled by the Azure AD service. Your application is not involved in this step.

4. Validating the authentication response:

Scan the response body for 4 possible parameters: "id_token", "state", "error", and "error_description" in your server side script, which you provided as the "redirect_uri" in the authentication request.
Implement some logic to analyze the error and display some error message page back to the end user, if "error" found.
Verify "state" value, it must be a valid session id in your application. Otherwise, display some error message page back to the end user.
Decode "id_token" and perform validation. See next tutorial on how to validate "id_token".

4. Letting the end user to use your application:

Take the user name, email address, and other profile information decoded from the "id_token" as trusted information.
Record or update the end user profile in your application, if you maintain user profile in database.
Let the end user to use your application.

Here is a diagram from "When To Use Which (OAuth2) Grants and (OIDC) Flows" by Robert Broeckelmann that illustrates nicely about the OpenID Implicit Flow.

⇒ Decode Azure AD v1 id_token

⇐ Dump Azure AD v1 Authentication Response

⇑ Azure AD Integration v1.0

⇑⇑ OpenID Tutorials

2021-05-16, 1622🔥, 0💬

Decode Azure AD v1 id_token
How to decode the id_token value received from Azure AD v1.0 authentication response? According to the "RFC 7519 - JWT (JSON Web Token)" standard, the "id_token" value received from Azure AD authentication response should be decoded as below: Splitting the encoded string into 3 components: Header, B... 2021-05-16, ∼2096🔥, 0💬

Azure AD v1 id_token Decoded Example
Where to find an Azure AD v1.0 id_token decoded example? Here is an example of an "id_token" value returned from Azure AD v1.0 after Base64URL decoded: Header = { "typ": "JWT", "alg": "RS256", "x5t": "i6lGk3FZzxRcUb2C3nEQ7syHJlY", "kid": "i6lGk3FZzxRcUb2C3nEQ7syHJlY" } Body = { "aud": "ef1da9d4-ff77... 2021-05-16, ∼1762🔥, 0💬

Azure AD v1 Error: Invalid Reply URL
Why Azure AD v1.0 display this error message: AADSTS50011: The reply url specified in the request does not match the reply URLsconfigured for the application? The root cause of this error is that you forgot the add the "redirect_uri" in your authentication request to Application ID settings on Azure... 2022-05-01, ∼1741🔥, 0💬

Dump Azure AD v1 Authentication Response
How to build a PHP script to dump Azure AD v1.0 Authentication Response? If you are use the Azure-AD-Authentication-Reques t-Test.htmltest Web form, you need to write a server side script to dump the Azure AD Authentication Response. Here is an example of PHP script, openID_receiver.php, that dumps ... 2022-05-01, ∼1656🔥, 0💬

Build Implicit Flow with Azure AD v1
How to implement the OpenID Implicit Flow with Azure AD v1.0 service? If you want to implement the OpenID Implicit Flow in your Web application to use Azure AD service, you should follow these steps: 1. Building the Azure AD v1.0 Sign-on authentication request: Register your Web application to the A... 2021-05-16, ∼1623🔥, 0💬

Validate Azure AD v1 id_token
How to validate the id_token value received from Azure AD v1.0 authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Azure AD authentication response using a simple PHP script. After decoding, you can get all information about t... 2021-05-16, ∼1604🔥, 0💬

Validate Azure AD v1 id_token Signature
How to validate the id_token signature received from Azure AD v1.0 authentication response? You can use some existing libraries to perform the Azure AD "id_token" signature validation using libraries of different programming languages as suggested in "Azure Active Directory access tokens" article" .... 2021-05-16, ∼1552🔥, 0💬

Azure AD v1 Authentication Request Test Page
How to build an Azure AD v1.0 Authentication Request Test page? The Authentication Request is the first call to the Azure AD service. You can build a simple Web form page to test different behavior of the Authentication Request. Here is an example, Azure-AD-Authentication-Reques t-Test.html:<... 2022-05-01, ∼1441🔥, 0💬

Process Azure AD v1 Authentication Request
How to the Azure AD v1.0 Sign-On Authentication Request is process by Azure AD service? When Azure AD v1.0 service receives a Sign-On Authentication Request from an end user's Web browser, it will: Verify if the "client_id" value in the request is valid. If not, display an error message page to the ... 2022-05-01, ∼1380🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.