Access token and id_token has same values when using ADAL.

[nominds]

We are using ADAL in our SPA. On accessing the application we are re-directed to AAD login page. However, after successful login we find both id_token and access_token has same values.

Which token should be pass as "Bearer" token ? Can backend just based on identity(upn), signature and expiry time allow access to protected API ?

[nehaagrawal]

@nominds When you login using ADAl, ADAl gives you an id_token and access_token. Both will have the same value and this access_token can only be used to call only your own APIs (i.e. which are hosted on the same domain). To call external apis(CORS), you need to call acquire_token() API and it will give you a different access_token. You need to pass the access_token as 'bearer' token.

[nehaagrawal]

@nominds I hope our answer was helpful. Since this is more of a question rather than an issue, please use stackoverflow in future for 'how to' questions. I am closing this for now but feel free to open it in future if you still have issue.

[Tahiche]

Hi, I beleive this is unclear. AcquireToken() is supposed to give you "access_token" to attach to Api calls, right?. At least when calling an external API... So this issue (https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/629) points out how to get response of "id_token AND token" via displayCall(). I´ve managed to do so but I´m encountering some problems.... Both "id_token" and "access_token" are saved to localStorage. BUT handleWindowCallback overwrites the correct access_token key with id_access when both are present, which is the case. BTW i also tried to only specify "token" as response, but id_token is expected (for callbacks and so) so it seems mandatory.

AuthenticationContext.prototype.saveTokenFromHash = function (requestInfo) {
..........
// THIS IS TRUE,response from ADFS has access_token
if (requestInfo.parameters.hasOwnProperty(this.CONSTANTS.ACCESS_TOKEN)) {
                    this.info('Fragment has access token');
.....
                    // save token with related resource
                   // THIS IS THE CORRECT ACCESS_TOKEN FROM THE URL HASH.
                    this._saveItem(this.CONSTANTS.STORAGE.ACCESS_TOKEN_KEY + resource, requestInfo.parameters[this.CONSTANTS.ACCESS_TOKEN]);
....
                }
// THIS IS ALSO TRUE !!!
 if (requestInfo.parameters.hasOwnProperty(this.CONSTANTS.ID_TOKEN)) {
                    this.info('Fragment has id token');
              //// ID_TOKEN IS ASAVED
              this._saveItem(this.CONSTANTS.STORAGE.IDTOKEN, requestInfo.parameters[this.CONSTANTS.ID_TOKEN]);

                            // Save idtoken as access token for app itself
                            resource = this.config.loginResource ? this.config.loginResource : this.config.clientId;
 ......
                            }
                           // HERE ITS OVERWRITING THE PREVIOUSLY SET ACCESS_TOKEN 

                            this._saveItem(this.CONSTANTS.STORAGE.ACCESS_TOKEN_KEY + resource, requestInfo.parameters[this.CONSTANTS.ID_TOKEN]);
                            this._saveItem(this.CONSTANTS.STORAGE.EXPIRATION_KEY + resource, this._user.profile.exp);

So access_token is now id_token, but I requested and got both.

Actually the right access_token is saved to localStorage under "adal.access.token.key" but the "adal.access.token.xxxxxx-resource-xxxxx" key is now id_token, not access_token. That´s the key retrieved with authContext.getCachedToken() and therefor with authContext.adquireToken(). So the question remains. How do you get the "access_token" to be able to attach it in API calls (Bearer xxx) ?.

Thanks