A Windows Store 8.1 or Windows 10 (UWP) application that uses Azure AD and the ADAL library to authenticate the user and call a web API using OAuth 2.0 access tokens.
Looking at the exchanges in Fiddler, I am seeing that an "id_token" is also included in the response when the app swaps the "code" received after the first call.
Because this is standard OAuth Auth-Code-Grant flow, why is there an "id_token". (Shouldn't that be there only in the case of OpenId requests?)
I am dumping salient requests and responses below...have truncated most strings and also not included the WS-Fed login messages.
====================================================
GET https://login.windows.net/XYZ.onmicrosoft.com/oauth2/authorize?response_type=code&resource=https%3A%2F%2FXYZ.onmicrosoft.com%2FTodoListService&client_id=2fea...&redirect_uri=ms-app%3A%2F%2Fs-1-15-2-...%2F&client-request-id=fa5...&x-clie... HTTP/1.1
---------------------------------------------------
HTTP/1.1 302 Found
Location: ms-app://s-1-15-2.../?code=AwAB...&session_state=39c...
====================================================
POST https://login.windows.net/acemodaad.onmicrosoft.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client-request-id: fa5...
grant_type=authorization_code&code=AwABA...&client_id=2fe...&redirect_uri=ms-app%3A%2F%2Fs-1-15-...%2F&resource=https%3A%2F%2FXYZ.onmicrosoft.com%2FTodoListService
---------------------------------------------------
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{"token_type":"Bearer","expires_in":"3599","expires_on":"1404553293","resource":"https://XYZ.onmicrosoft.com/TodoListService","access_token":"eyJ0eXAi...","refresh_token":"AwABA...","scope":"user_impersonation","id_token":"eyJ0eX..."}
Looking at the exchanges in Fiddler, I am seeing that an "id_token" is also included in the response when the app swaps the "code" received after the first call.
Because this is standard OAuth Auth-Code-Grant flow, why is there an "id_token". (Shouldn't that be there only in the case of OpenId requests?)
I am dumping salient requests and responses below...have truncated most strings and also not included the WS-Fed login messages.