如何获取已登录用户的Azure AD访问令牌？

Question

We have an App Service (a PHP website) running in our Microsoft Azure platform. The website is only accessible after the user has already been logged in. The authentication is based on the Azure AD. Everything works fine.

Now, from the PHP code of the website, I would like to get the Azure AD group memberships of the already logged in user.

I read a lot of Web resources explaining how to log in a user to Azure AD from a website and thus get an authorization/access token in order to perform additional actions, like retrieving group memberships and a lot of other stuff. But this is not what I'm looking for. The user already is logged in and can successfully use the website. (Microsoft would redirect the user to the single sign-on login page otherwise.)

Using PHP, I can retrieve, for example, the username of the logged in user from the request header of any access to the website. And there is also some "access token" stored in the request header, and other things, like "client principal ID". But I don't know whether this is such authorization/access token I could use for additional actions. Or maybe/probably I'm doing something wrong. Requesting, for example, https://graph.microsoft.com/v1.0/me/memberOf using cURL, I get an InvalidAuthenticationToken error with "CompactToken parsing failed". I put "Authorization:Bearer {access token}" and "Accept:application/json" into the request header for this as explained here . (I don't have explicit information about the token type so I just assume "Bearer" to be correct like in the examples. Maybe this is already wrong.)

I don't know how to proceed in order to get to a solution. Maybe the point I am missing is not in my cURL request at all but in the Azure settings for the AD and/or App Service. I'm hoping for help from your side.

Answer 1

You are on the right track.

Access token

When you have successfully authenticated yourself against Azure AD, using OAuth2 or OIDC , you will get an access token . The access token is a base 64 encoded JSON Web Token (JWT) and can be used to access other protected resources.

An access token might look like this:

EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==

You can use https://jwt.io to explore further its contents.

Note: the above token is shortened. In its complete form, it is quite long.

In other works, you need the access token for doing future requests against any API secured with the same identity provider (in this case Azure AD).

Accessing protected APIs

However, before you can use your token to access any API you must first grant your Azure AD application necessary permissions. See this link .

Note: that link applies to the v1.0 Azure AD endpoints.

Once you got the needed permissions sorted, you can start doing requests. The requests you make look like, eg

GET https://graph.microsoft.com/v1.0/me 
Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
Host: graph.microsoft.com

Here, the token is what comes after Authorization: Bearer .

Further reading

See this link for further reading. The link contains intructions on how to use the v2.0 Azure AD endpoints but the general idea is the same:

1. Register an app
2. Grant permissions to app to access resources
3. Get an access token
4. Use the token for doing requests