FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Azure AD token absent in link API response

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    3
    376
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stefan 0
      last edited by

      We are using Azure AD as an external identity provider via the OIDC integration, which works great and users are authenticated as expected, happy days.

      We have recently however had a customer request that would require us to retrieve the access token returned from Azure AD for further processing. We can see from the debug logs that the access token is returned from Azure AD, but using the Retrieve a Link API yields an empty token property in the response in all instances. While the API documentation does say that the token may not be available in all cases, other documentation specifically for the Azure AD OIDC integration details a token storage step in the authentication flow. Have we misinterpreted the documentation here or should the token be available?

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @stefan 0
        last edited by mark.robustelli

        @stefan-0 Are you getting the user-id from the Retrieve a Link api call? That can me if you are making the API call successfully. I may be missing something, but I think the Retrieve a Link returns information about the Identity Provider. I don't think that will get you the token. Am I missing something? You may want to take a look at Complete an OpenID Connect Login.

        S 1 Reply Last reply Reply Quote 0
        • S
          stefan 0 @mark.robustelli
          last edited by stefan 0

          @mark-robustelli thanks for the response, I didn't see it at the time hence the rather slow reply. I was using the version of Retrieve a Link that takes IDP id and FusionAuth user ID. The response to that call contains non-null non-empty values for all the following properties nested within an array of identityProviderLink instances:

          • displayName
          • identityProviderId
          • identityProviderName
          • identityProviderType
          • identityProviderUserId
          • insertInstant
          • lastLoginInstant
          • tenantId
          • userId

          The only field returned with a consistently blank string value is identityProviderLink.token. This is documented as containing the "The token returned from the identity provider". I guess that could mean any of a number of tokens, but I assumed it to mean the access token response?

          Debug logs show an AAD Access Token Response structure that contains populated values for access_token and id_token.

          We are using themed versions of the FusionAuth login pages, though we're also using idp hints on the login URL to bypass the login forms in the instance where a user is authenticated by a 3rd party IDP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post