{"id":4745,"date":"2023-05-01T12:18:19","date_gmt":"2023-05-01T19:18:19","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4745"},"modified":"2023-05-01T12:18:20","modified_gmt":"2023-05-01T19:18:20","slug":"how-to-find-the-openid-configuration-document-uri-from-azure","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4745","title":{"rendered":"How to Find the OpenID configuration document URI from Azure"},"content":{"rendered":"\n<p>Every app registration in Azure AD is provided a publicly accessible endpoint that serves its OpenID configuration document. To determine the URI of the configuration document&#8217;s endpoint for your app, append the&nbsp;<em>well-known OpenID configuration<\/em>&nbsp;path to your app registration&#8217;s&nbsp;<em>authority URL<\/em>.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Well-known configuration document path:&nbsp;<code>\/.well-known\/openid-configuration<\/code><\/li><li>Authority URL:&nbsp;<code>https:\/\/login.microsoftonline.com\/{tenant}\/v2.0<\/code><\/li><\/ul>\n\n\n\n<p>The value of&nbsp;<code>{tenant}<\/code>&nbsp;varies based on the application&#8217;s sign-in audience as shown in the following table. The authority URL also varies by&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/authentication-national-cloud#azure-ad-authentication-endpoints\">cloud instance<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Value<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>common<\/code><\/td><td>Users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application.<\/td><\/tr><tr><td><code>organizations<\/code><\/td><td>Only users with work or school accounts from Azure AD can sign in to the application.<\/td><\/tr><tr><td><code>consumers<\/code><\/td><td>Only users with a personal Microsoft account can sign in to the application.<\/td><\/tr><tr><td><code>8eaef023-2b34-4da1-9baa-8bc8c9d6a490<\/code>&nbsp;or&nbsp;<code>contoso.onmicrosoft.com<\/code><\/td><td>Only users from a specific Azure AD tenant (directory members with a work or school account or directory guests with a personal Microsoft account) can sign in to the application.<br><br>The value can be the domain name of the Azure AD tenant or the tenant ID in GUID format. You can also use the consumer tenant GUID,&nbsp;<code>9188040d-6c67-4c5b-b112-36a304b66dad<\/code>, in place of&nbsp;<code>consumers<\/code>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>&nbsp;Tip<\/p>\n\n\n\n<p>Note that when using the&nbsp;<code>common<\/code>&nbsp;or&nbsp;<code>consumers<\/code>&nbsp;authority for personal Microsoft accounts, the consuming resource application must be configured to support such type of accounts in accordance with&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/supported-accounts-validation\">signInAudience<\/a>.<\/p>\n\n\n\n<p>To find the OIDC configuration document in the Azure portal, navigate to the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure portal<\/a>&nbsp;and then:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Select&nbsp;<strong>Azure Active Directory<\/strong>&nbsp;&gt;&nbsp;<strong>App registrations<\/strong>&nbsp;&gt;&nbsp;<em>&lt;your application&gt;<\/em>&nbsp;&gt;&nbsp;<strong>Endpoints<\/strong>.<\/li><li>Locate the URI under&nbsp;<strong>OpenID Connect metadata document<\/strong>.<\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#sample-request\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sample-request\">Sample request<\/h3>\n\n\n\n<p>The following request gets the OpenID configuration metadata from the&nbsp;<code>common<\/code>&nbsp;authority&#8217;s OpenID configuration document endpoint on the Azure public cloud:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/common\/v2.0\/.well-known\/openid-configuration\nHost: login.microsoftonline.com\n<\/code><\/pre>\n\n\n\n<p>&nbsp;Tip<\/p>\n\n\n\n<p>Try it! To see the OpenID configuration document for an application&#8217;s&nbsp;<code>common<\/code>&nbsp;authority, navigate to&nbsp;<a href=\"https:\/\/login.microsoftonline.com\/common\/v2.0\/.well-known\/openid-configuration\">https:\/\/login.microsoftonline.com\/common\/v2.0\/.well-known\/openid-configuration<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#sample-response\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sample-response\">Sample response<\/h3>\n\n\n\n<p>The configuration metadata is returned in JSON format as shown in the following example (truncated for brevity). The metadata returned in the JSON response is described in detail in the&nbsp;<a href=\"https:\/\/openid.net\/specs\/openid-connect-discovery-1_0.html#rfc.section.4.2\">OpenID Connect 1.0 discovery specification<\/a>.<\/p>\n\n\n\n<p>JSONCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n  \"authorization_endpoint\": \"https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/authorize\",\n  \"token_endpoint\": \"https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/token\",\n  \"token_endpoint_auth_methods_supported\": &#91;\n    \"client_secret_post\",\n    \"private_key_jwt\"\n  ],\n  \"jwks_uri\": \"https:\/\/login.microsoftonline.com\/{tenant}\/discovery\/v2.0\/keys\",\n  \"userinfo_endpoint\": \"https:\/\/graph.microsoft.com\/oidc\/userinfo\",\n  \"subject_types_supported\": &#91;\n      \"pairwise\"\n  ],\n  ...\n}\n<\/code><\/pre>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#send-the-sign-in-request\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"send-the-sign-in-request\">Send the sign-in request<\/h2>\n\n\n\n<p>To authenticate a user and request an ID token for use in your application, direct their user-agent to the Microsoft identity platform&#8217;s&nbsp;<em>\/authorize<\/em>&nbsp;endpoint. The request is similar to the first leg of the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow\">OAuth 2.0 authorization code flow<\/a>&nbsp;but with these distinctions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Include the&nbsp;<code>openid<\/code>&nbsp;scope in the&nbsp;<code>scope<\/code>&nbsp;parameter.<\/li><li>Specify&nbsp;<code>code<\/code>&nbsp;in the&nbsp;<code>response_type<\/code>&nbsp;parameter.<\/li><li>Include the&nbsp;<code>nonce<\/code>&nbsp;parameter.<\/li><\/ul>\n\n\n\n<p>Example sign-in request (line breaks included only for readability):<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/authorize?\nclient_id=6731de76-14a6-49ae-97bc-6eba6914391e\n&amp;response_type=id_token\n&amp;redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F\n&amp;response_mode=form_post\n&amp;scope=openid\n&amp;state=12345\n&amp;nonce=678910\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Condition<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>tenant<\/code><\/td><td>Required<\/td><td>You can use the&nbsp;<code>{tenant}<\/code>&nbsp;value in the path of the request to control who can sign in to the application. The allowed values are&nbsp;<code>common<\/code>,&nbsp;<code>organizations<\/code>,&nbsp;<code>consumers<\/code>, and tenant identifiers. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-v2-protocols#endpoints\">protocol basics<\/a>. Critically, for guest scenarios where you sign a user from one tenant into another tenant, you&nbsp;<em>must<\/em>&nbsp;provide the tenant identifier to correctly sign them into the resource tenant.<\/td><\/tr><tr><td><code>client_id<\/code><\/td><td>Required<\/td><td>The&nbsp;<strong>Application (client) ID<\/strong>&nbsp;that the&nbsp;<a href=\"https:\/\/go.microsoft.com\/fwlink\/?linkid=2083908\">Azure portal \u2013 App registrations<\/a>&nbsp;experience assigned to your app.<\/td><\/tr><tr><td><code>response_type<\/code><\/td><td>Required<\/td><td>Must include&nbsp;<code>code<\/code>&nbsp;for OpenID Connect sign-in.<\/td><\/tr><tr><td><code>redirect_uri<\/code><\/td><td>Recommended<\/td><td>The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL-encoded. If not present, the endpoint will pick one registered&nbsp;<code>redirect_uri<\/code>&nbsp;at random to send the user back to.<\/td><\/tr><tr><td><code>scope<\/code><\/td><td>Required<\/td><td>A space-separated list of scopes. For OpenID Connect, it must include the scope&nbsp;<code>openid<\/code>, which translates to the&nbsp;<strong>Sign you in<\/strong>&nbsp;permission in the consent UI. You might also include other scopes in this request for requesting consent.<\/td><\/tr><tr><td><code>nonce<\/code><\/td><td>Required<\/td><td>A value generated and sent by your app in its request for an ID token. The same&nbsp;<code>nonce<\/code>&nbsp;value is included in the ID token returned to your app by the Microsoft identity platform. To mitigate token replay attacks, your app should verify the&nbsp;<code>nonce<\/code>&nbsp;value in the ID token is the same value it sent when requesting the token. The value is typically a unique, random string.<\/td><\/tr><tr><td><code>response_mode<\/code><\/td><td>Recommended<\/td><td>Specifies the method that should be used to send the resulting authorization code back to your app. Can be&nbsp;<code>form_post<\/code>&nbsp;or&nbsp;<code>fragment<\/code>. For web applications, we recommend using&nbsp;<code>response_mode=form_post<\/code>, to ensure the most secure transfer of tokens to your application.<\/td><\/tr><tr><td><code>state<\/code><\/td><td>Recommended<\/td><td>A value included in the request that also will be returned in the token response. It can be a string of any content you want. A randomly generated unique value typically is used to&nbsp;<a href=\"https:\/\/tools.ietf.org\/html\/rfc6749#section-10.12\">prevent cross-site request forgery attacks<\/a>. The state also is used to encode information about the user&#8217;s state in the app before the authentication request occurred, such as the page or view the user was on.<\/td><\/tr><tr><td><code>prompt<\/code><\/td><td>Optional<\/td><td>Indicates the type of user interaction that is required. The only valid values at this time are&nbsp;<code>login<\/code>,&nbsp;<code>none<\/code>,&nbsp;<code>consent<\/code>, and&nbsp;<code>select_account<\/code>. The&nbsp;<code>prompt=login<\/code>&nbsp;claim forces the user to enter their credentials on that request, which negates single sign-on. The&nbsp;<code>prompt=none<\/code>&nbsp;parameter is the opposite, and should be paired with a&nbsp;<code>login_hint<\/code>&nbsp;to indicate which user must be signed in. These parameters ensure that the user isn&#8217;t presented with any interactive prompt at all. If the request can&#8217;t be completed silently via single sign-on, the Microsoft identity platform returns an error. Causes include no signed-in user, the hinted user isn&#8217;t signed in, or multiple users are signed in but no hint was provided. The&nbsp;<code>prompt=consent<\/code>&nbsp;claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. Finally,&nbsp;<code>select_account<\/code>&nbsp;shows the user an account selector, negating silent SSO but allowing the user to pick which account they intend to sign in with, without requiring credential entry. You can&#8217;t use both&nbsp;<code>login_hint<\/code>&nbsp;and&nbsp;<code>select_account<\/code>.<\/td><\/tr><tr><td><code>login_hint<\/code><\/td><td>Optional<\/td><td>You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the&nbsp;<code>login_hint<\/code>&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-optional-claims\">optional claim<\/a>&nbsp;from an earlier sign-in.<\/td><\/tr><tr><td><code>domain_hint<\/code><\/td><td>Optional<\/td><td>The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform verifies that the user has consented to the permissions indicated in the&nbsp;<code>scope<\/code>&nbsp;query parameter. If the user hasn&#8217;t consented to any of those permissions, the Microsoft identity platform prompts the user to consent to the required permissions. You can read more about&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-permissions-and-consent\">permissions, consent, and multi-tenant apps<\/a>.<\/p>\n\n\n\n<p>After the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated redirect URI by using the method specified in the&nbsp;<code>response_mode<\/code>&nbsp;parameter.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#successful-response\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"successful-response\">Successful response<\/h3>\n\n\n\n<p>A successful response when you use&nbsp;<code>response_mode=form_post<\/code>&nbsp;is similar to:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/myapp\/ HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\n\nid_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&amp;state=12345\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>id_token<\/code><\/td><td>The ID token that the app requested. You can use the&nbsp;<code>id_token<\/code>&nbsp;parameter to verify the user&#8217;s identity and begin a session with the user. For more information about ID tokens and their contents, see the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/id-tokens\">ID token reference<\/a>.<\/td><\/tr><tr><td><code>state<\/code><\/td><td>If a&nbsp;<code>state<\/code>&nbsp;parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#error-response\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"error-response\">Error response<\/h3>\n\n\n\n<p>Error responses might also be sent to the redirect URI so the app can handle them, for example:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/myapp\/ HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\n\nerror=access_denied&amp;error_description=the+user+canceled+the+authentication\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>error<\/code><\/td><td>An error code string that you can use to classify types of errors that occur, and to react to errors.<\/td><\/tr><tr><td><code>error_description<\/code><\/td><td>A specific error message that can help you identify the root cause of an authentication error.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#error-codes-for-authorization-endpoint-errors\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"error-codes-for-authorization-endpoint-errors\">Error codes for authorization endpoint errors<\/h3>\n\n\n\n<p>The following table describes error codes that can be returned in the&nbsp;<code>error<\/code>&nbsp;parameter of the error response:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Error code<\/th><th>Description<\/th><th>Client action<\/th><\/tr><\/thead><tbody><tr><td><code>invalid_request<\/code><\/td><td>Protocol error like a missing required parameter.<\/td><td>Fix and resubmit the request. This development error should be caught during application testing.<\/td><\/tr><tr><td><code>unauthorized_client<\/code><\/td><td>The client application can&#8217;t request an authorization code.<\/td><td>This error can occur when the client application isn&#8217;t registered in Azure AD or isn&#8217;t added to the user&#8217;s Azure AD tenant. The application can prompt the user with instructions to install the application and add it to Azure AD.<\/td><\/tr><tr><td><code>access_denied<\/code><\/td><td>The resource owner denied consent.<\/td><td>The client application can notify the user that it can&#8217;t proceed unless the user consents.<\/td><\/tr><tr><td><code>unsupported_response_type<\/code><\/td><td>The authorization server doesn&#8217;t support the response type in the request.<\/td><td>Fix and resubmit the request. This development error should be caught during application testing.<\/td><\/tr><tr><td><code>server_error<\/code><\/td><td>The server encountered an unexpected error.<\/td><td>Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed because of a temporary error.<\/td><\/tr><tr><td><code>temporarily_unavailable<\/code><\/td><td>The server is temporarily too busy to handle the request.<\/td><td>Retry the request. The client application might explain to the user that its response is delayed because of a temporary condition.<\/td><\/tr><tr><td><code>invalid_resource<\/code><\/td><td>The target resource is invalid because it doesn&#8217;t exist, Azure AD can&#8217;t find it, or it&#8217;s configured incorrectly.<\/td><td>This error indicates that the resource, if it exists, hasn&#8217;t been configured in the tenant. The application can prompt the user with instructions for installing the application and adding it to Azure AD.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#validate-the-id-token\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"validate-the-id-token\">Validate the ID token<\/h2>\n\n\n\n<p>Receiving an ID token in your app might not always be sufficient to fully authenticate the user. You might also need to validate the ID token&#8217;s signature and verify its claims per your app&#8217;s requirements. Like all OpenID providers, the Microsoft identity platform&#8217;s ID tokens are&nbsp;<a href=\"https:\/\/tools.ietf.org\/html\/rfc7519\">JSON Web Tokens (JWTs)<\/a>&nbsp;signed by using public key cryptography.<\/p>\n\n\n\n<p>Web apps and web APIs that use ID tokens for authorization must validate them because such applications get access to data. Other types of application might not benefit from ID token validation, however. Native and single-page apps (SPAs), for example, rarely benefit from ID token validation because any entity with physical access to the device or browser can potentially bypass the validation.<\/p>\n\n\n\n<p>Two examples of token validation bypass are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Providing fake tokens or keys by modifying network traffic to the device<\/li><li>Debugging the application and stepping over the validation logic during program execution.<\/li><\/ul>\n\n\n\n<p>If you validate ID tokens in your application, we recommend&nbsp;<em>not<\/em>&nbsp;doing so manually. Instead, use a token validation library to parse and validate tokens. Token validation libraries are available for most development languages, frameworks, and platforms.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#what-to-validate-in-an-id-token\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-to-validate-in-an-id-token\">What to validate in an ID token<\/h3>\n\n\n\n<p>In addition to validating ID token&#8217;s signature, you should validate several of its claims as described in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/id-tokens#validating-an-id-token\">Validating an ID token<\/a>&nbsp;in the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/id-tokens\">ID token reference<\/a>. Also see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-signing-key-rollover\">Important information about signing key-rollover<\/a>.<\/p>\n\n\n\n<p>Several other validations are common and vary by application scenario, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ensuring the user\/organization has signed up for the app.<\/li><li>Ensuring the user has proper authorization\/privileges<\/li><li>Ensuring a certain strength of authentication has occurred, such as&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-howitworks\">multi-factor authentication<\/a>.<\/li><\/ul>\n\n\n\n<p>Once you&#8217;ve validated the ID token, you can begin a session with the user and use the information in the token&#8217;s claims for app personalization, display, or for storing their data.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#protocol-diagram-access-token-acquisition\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protocol-diagram-access-token-acquisition\">Protocol diagram: Access token acquisition<\/h2>\n\n\n\n<p>Many applications need not only to sign in a user, but also access a protected resource like a web API on behalf of the user. This scenario combines OpenID Connect to get an ID token for authenticating the user and OAuth 2.0 to get an access token for a protected resource.<\/p>\n\n\n\n<p>The full OpenID Connect sign-in and token acquisition flow looks similar to this diagram:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/media\/v2-protocols-oidc\/convergence-scenarios-webapp-webapi.svg\" alt=\"OpenID Connect  protocol: Token acquisition\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#get-an-access-token-for-the-userinfo-endpoint\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"get-an-access-token-for-the-userinfo-endpoint\">Get an access token for the UserInfo endpoint<\/h2>\n\n\n\n<p>In addition to the ID token, the authenticated user&#8217;s information is also made available at the OIDC&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/userinfo\">UserInfo endpoint<\/a>.<\/p>\n\n\n\n<p>To get an access token for the OIDC UserInfo endpoint, modify the sign-in request as described here:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Line breaks are for legibility only.\n\nGET https:\/\/login.microsoftonline.com\/{tenant}\/oauth2\/v2.0\/authorize?\nclient_id=6731de76-14a6-49ae-97bc-6eba6914391e        \/\/ Your app registration's Application (client) ID\n&amp;response_type=id_token%20token                       \/\/ Requests both an ID token and access token\n&amp;redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F       \/\/ Your application's redirect URI (URL-encoded)\n&amp;response_mode=form_post                              \/\/ 'form_post' or 'fragment'\n&amp;scope=openid+profile+email                           \/\/ 'openid' is required; 'profile' and 'email' provide information in the UserInfo endpoint as they do in an ID token. \n&amp;state=12345                                          \/\/ Any value - provided by your app\n&amp;nonce=678910                                         \/\/ Any value - provided by your app\n<\/code><\/pre>\n\n\n\n<p>You can use the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow\">authorization code flow<\/a>, the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-device-code\">device code flow<\/a>, or a&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow#refresh-the-access-token\">refresh token<\/a>&nbsp;in place of&nbsp;<code>response_type=token<\/code>&nbsp;to get an access token for your app.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#successful-token-response\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"successful-token-response\">Successful token response<\/h3>\n\n\n\n<p>A successful response from using&nbsp;<code>response_mode=form_post<\/code>:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/myapp\/ HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\n access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6I....\n &amp;token_type=Bearer\n &amp;expires_in=3598\n &amp;scope=email+openid+profile\n &amp;id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI....\n &amp;state=12345\n<\/code><\/pre>\n\n\n\n<p>Response parameters mean the same thing regardless of the flow used to acquire them.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>access_token<\/code><\/td><td>The token that will be used to call the UserInfo endpoint.<\/td><\/tr><tr><td><code>token_type<\/code><\/td><td>Always &#8220;Bearer&#8221;<\/td><\/tr><tr><td><code>expires_in<\/code><\/td><td>How long until the access token expires, in seconds.<\/td><\/tr><tr><td><code>scope<\/code><\/td><td>The permissions granted on the access token. Because the UserInfo endpoint is hosted on Microsoft Graph, it&#8217;s possible for&nbsp;<code>scope<\/code>&nbsp;to contain others previously granted to the application (for example,&nbsp;<code>User.Read<\/code>).<\/td><\/tr><tr><td><code>id_token<\/code><\/td><td>The ID token that the app requested. You can use the ID token to verify the user&#8217;s identity and begin a session with the user. You&#8217;ll find more details about ID tokens and their contents in the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/id-tokens\">ID token reference<\/a>.<\/td><\/tr><tr><td><code>state<\/code><\/td><td>If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>&nbsp;Warning<\/p>\n\n\n\n<p>Don&#8217;t attempt to validate or read tokens for any API you don&#8217;t own, including the tokens in this example, in your code. Tokens for Microsoft services can use a special format that will not validate as a JWT, and may also be encrypted for consumer (Microsoft account) users. While reading tokens is a useful debugging and learning tool, do not take dependencies on this in your code or assume specifics about tokens that aren&#8217;t for an API you control.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#error-response-1\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"error-response-1\">Error response<\/h3>\n\n\n\n<p>Error responses might also be sent to the redirect URI so that the app can handle them appropriately:<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/myapp\/ HTTP\/1.1\nHost: localhost\nContent-Type: application\/x-www-form-urlencoded\n\nerror=access_denied&amp;error_description=the+user+canceled+the+authentication\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>error<\/code><\/td><td>An error code string that you can use to classify types of errors that occur, and to react to errors.<\/td><\/tr><tr><td><code>error_description<\/code><\/td><td>A specific error message that can help you identify the root cause of an authentication error.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>For a description of possible error codes and recommended client responses, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#error-codes-for-authorization-endpoint-errors\">Error codes for authorization endpoint errors<\/a>.<\/p>\n\n\n\n<p>When you have an authorization code and an ID token, you can sign the user in and get access tokens on their behalf. To sign the user in, you must validate the ID token&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/id-tokens#validating-an-id-token\">exactly as described<\/a>. To get access tokens, follow the steps described in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow#redeem-a-code-for-an-access-token\">OAuth code flow documentation<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#calling-the-userinfo-endpoint\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"calling-the-userinfo-endpoint\">Calling the UserInfo endpoint<\/h3>\n\n\n\n<p>Review the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/userinfo#calling-the-api\">UserInfo documentation<\/a>&nbsp;to look over how to call the UserInfo endpoint with this token.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#send-a-sign-out-request\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"send-a-sign-out-request\">Send a sign-out request<\/h2>\n\n\n\n<p>To sign out a user, perform both of these operations:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Redirect the user&#8217;s user-agent to the Microsoft identity platform&#8217;s logout URI<\/li><li>Clear your app&#8217;s cookies or otherwise end the user&#8217;s session in your application.<\/li><\/ul>\n\n\n\n<p>If you fail to perform either operation, the user may remain authenticated and not be prompted to sign-in the next time they user your app.<\/p>\n\n\n\n<p>Redirect the user-agent to the&nbsp;<code>end_session_endpoint<\/code>&nbsp;as shown in the OpenID Connect configuration document. The&nbsp;<code>end_session_endpoint<\/code>&nbsp;supports both HTTP GET and POST requests.<\/p>\n\n\n\n<p>HTTPCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/logout?\npost_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Parameter<\/th><th>Condition<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>post_logout_redirect_uri<\/code><\/td><td>Recommended<\/td><td>The URL that the user is redirected to after successfully signing out. If the parameter isn&#8217;t included, the user is shown a generic message that&#8217;s generated by the Microsoft identity platform. This URL must match one of the redirect URIs registered for your application in the app registration portal.<\/td><\/tr><tr><td><code>logout_hint<\/code><\/td><td>Optional<\/td><td>Enables sign-out to occur without prompting the user to select an account. To use&nbsp;<code>logout_hint<\/code>, enable the&nbsp;<code>login_hint<\/code>&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-optional-claims\">optional claim<\/a>&nbsp;in your client application and use the value of the&nbsp;<code>login_hint<\/code>&nbsp;optional claim as the&nbsp;<code>logout_hint<\/code>&nbsp;parameter. Don&#8217;t use UPNs or phone numbers as the value of the&nbsp;<code>logout_hint<\/code>&nbsp;parameter.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>After successful sign-out, the active sessions will be set to inactive. If a valid Primary Refresh Token (PRT) exists for the signed-out user and a new sign-in is executed, SSO will be interrupted and user will see a prompt with an account picker. If the option selected is the connected account that refers to the PRT, sign-in will proceed automatically without the need to insert fresh credentials.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#single-sign-out\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"single-sign-out\">Single sign-out<\/h2>\n\n\n\n<p>When you redirect the user to the\u00a0<code>end_session_endpoint<\/code>, the Microsoft identity platform clears the user&#8217;s session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the Microsoft identity platform sends an HTTP GET request to the registered\u00a0<code>LogoutUrl<\/code>\u00a0of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a\u00a0<code>200<\/code>\u00a0response. If you wish to support single sign-out in your application, you must implement such a\u00a0<code>LogoutUrl<\/code>\u00a0in your application&#8217;s code. You can set the\u00a0<code>LogoutUrl<\/code>\u00a0from the app registration portal.<\/p>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#fetch-the-openid-configuration-document\">OpenID Connect (OIDC) on the Microsoft identity platform &#8211; Microsoft Entra | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every app registration in Azure AD is provided a publicly accessible endpoint that serves its OpenID configuration document. To determine the URI of the configuration document&#8217;s endpoint for your app, append the&nbsp;well-known OpenID configuration&nbsp;path to your app registration&#8217;s&nbsp;authority URL. Well-known configuration document path:&nbsp;\/.well-known\/openid-configuration Authority URL:&nbsp;https:\/\/login.microsoftonline.com\/{tenant}\/v2.0 The value of&nbsp;{tenant}&nbsp;varies based on the application&#8217;s sign-in audience as <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4745\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,10],"tags":[1586],"class_list":["post-4745","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft","tag-find-the-openid-configuration-document-uri-from-azure"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4745"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4745\/revisions"}],"predecessor-version":[{"id":4746,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4745\/revisions\/4746"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}