Monday, March 20, 2017

AAD : Beware the difference in the V1.0 and V2.0 endpoints

The V2.0 endpoint is the endpoint that allows you to sign in with the converged Microsoft and Azure Active Directory accounts.

From an OpenID / OAuth perspective, the discovery documents can be found at:

V1.0:

https://login.microsoftonline.com/common/.well-known/openid-configuration

V2.0:

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Notice the extra "V2.0".

If we look at the keys, we see for V1.0:

https://login.microsoftonline.com/common/discovery/keys

And for V2.0 :

https://login.microsoftonline.com/common/discovery/v2.0/keys

You will notice that V2.0 has four signing keys while v1.0 only has two.

V2.0 is the endpoint used by B2C.

Don't assume that tokens signed by Azure AD (V1.0) are also acceptable for B2C (V2.0) and vice versa.

This will be true when AAD and B2C are merged at some point in the future but right now it's a gotcha!

Enjoy!

No comments: