Azure AD returns non JWT Tokens when exchanging the OAuth2 code for an access token

Question

I have an Azure AD App on my tenant that is configured to accept multiple tenants AND personal accounts.

I follow the procedure to retrieve an AccessToken as explained here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

When I receive the "code" in my app from the Microsoft web page, I exchange it for an access token calling the endpoint "https://login.microsoftonline.com/common/oauth2/v2.0/token".

Here the behavior differs whether the user that logs in is a work account or a personal account.

With work accounts, I receive a normal JWT Token and everybody is happy: I can decode the token and read the claims.

With personal accounts, I receive another token, that is not a JWT Token and I don't have any clue on how to:

1. validate this token
2. read a few information from the user (specifically, the email of the user)

Could you please help me understand how to perform these two actions?

NOTE: I have seen the answers here: Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens but my case is slightly different, since I don't want to access MS Graph with this token, I just need to retrieve the email of the user.

Thanks!

cghersi

Answer 1

The access_token in OAuth2 is not required to be an JWT per the OAuth specification.
However Microsoft supports OpenID Connect , that provides an id_token . The id_token is always an JWT.

To "upgrade" your OAuth request to an OpenID Connect request you simply have to add the scope openid (and possibly email to ensure you get an email).
Then when you exchange your code to an access_token you also get an id_token