Access token for application id uri

[MatthewDavidCampbell]

Submitting a question about how to generate an access token for the AD application's id uri.

[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Performance issue
[ ] Feature request
[x] Documentation issue or request
[ ] Other... Please describe:

Browser:

• [x] Chrome version XX
• [ ] Firefox version XX
• [ ] IE version XX
• [ ] Edge version XX
• [ ] Safari version XX

Library Name

• [x] adal.js 1.0.17
• [ ] adal-angular XX

Library version

Library version: 1.0.17 Working with 1.0.17 and 1.0.16.

Current behavior

Using the adal library (not adal-angular) from Angular 7 injecting the following into the AuthenticationContext:

 clientId, instance, redirectUri, tenant

No problems getting the id adal.idtoken (key) once the redirect is down (i.e. handleWindowCallback executed). Using the clientId == application id (Azure) as the resource for both the id token and the access token. Wrap the this.adal.acquireToken(clientId, (e, t) => {...} inside an observable indicating that the user has access.

Would like to use the application id uri as the resource when acquiring an access token. There are 2 things that hinder: 1) the _user in the AuthenticationContext wiped out on redirects (causing acquireToken to bail) and 2) even with oauth2AllowImplicitFlow == true in Azure AD a call for a response type == token fails with "is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier". Hinder 1 can be hacked around. It is the second failure from Azure AD that I don't understand.

Expected behavior

Sifting through the adal.js code it looks like the resource parameter to acquireToken can be something other than the clientId (which is hinted at on the Wiki). In particular the resource could be the application id uri. Is this possible (i.e. hinder 2)? Even with window refreshing (i.e. hinder 1)?

Also, the expectation with the access token is that the aud parameter contains the application id uri.

Minimal reproduction of the problem with instructions

Let me know if code is needed here.

[sandipbhavsar]

Please try with passing context object with in acquireToken method

[MatthewDavidCampbell]

@sandipbhavsar What is a context object? Here is a gist: https://gist.github.com/MatthewDavidCampbell/59b321cfe7d5a5baa0536b83a50b7853

Showing what I want to do. And this is the error:

ADAL error occurred: AADSTS90009: Application '64ead90a-2c9e-4475-b632-b033b85d3c8e' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier. Trace ID: 81d8f74f-09df-4e42-8204-0b9b9dc91900 Correlation ID: 6576460a-94f3-4c7c-966e-74e756337f52 Timestamp: 2018-11-15 11:13:57Z

Again, I am not interested in granting an access token for an APP tied to the AD endpoint (e.g. Open Office apps). Just want to grant on the application id uri as hinted by the documentation.

Here is what I think. An application id uri is only applicable if it is for a web API registered or another resource like Microsoft Graph | Office API | etc. In other words, any other associated resource but not the AD endpoint referenced by it's application id uri. This isn't a big deal just unclear in the documentation (i.e. Wiki reference above).

Begs the question of why I would ever want to grant an access token with the AD endpoint's application id uri. Because it is human readable rather than a GUID (==application id). Eases debug of tokens.

[navyasric]

@MatthewDavidCampbell Thank you for pointing out the discrepancy in the documentation. The wiki has been updated to clarify the use of the client's App ID (Guid) as resource when the web API is registered as part of the client with the same app ID as the client.