Today I’ve learned something new about implementing OIDC with Microsoft Entra. Microsoft Entra is the new name for Azure Active Directory. Let me preface this by saying that I’m no expert in OIDC or OAuth2.0.
We’re in the middle of migrating authentication providers and using Microsoft Entra (formerly Azure Active Directory) to log in to our SaaS with OIDC. On the backend, we simply changed the JWKS URL and everything was good. But issuing a valid token turned out to be harder than originally thought. When requesting access tokens, we where never able to validate it. The ID token validated just fine, but the access token always failed to validate the signature.
As it turns out, you need to request an additional scope called [client_id]/.default where you replace [client_id] with your client ID from the application you configured in Entra ID. I don’t really understand why you need to do this or why Microsoft chose to go this way. It feels nonconforming to standards. While it’s not that hard to google the problem and find a solution, it took me a bit to fallback to googling because I thought we were validating against an incorrect JWKS or some other dumb user error.
Microsoft has a whole section on the .default scope in its documentation, but it doesn’t really help me at all in figuring out the reasons for it. Anyway, I learned something new today.