What is the Azure AD v2.0 Access Token Request?

If you want to implement the authentication code flow to integrate your application with Azure AD v2.0, you need to have a good understanding of the Azure AD v2.0 access token request, which is the second call you have to make in the authentication code flow.

Here is an example of Azure AD v2.0 access token request and its parameters:

POST /common/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=bd51d56c-e744-4a58-91e1-9afd0d7e821c                 
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Ffyicenter.com%3AopenID_receiver.php
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps

Here are the parameters you need to provide:

• client_id - The Application ID you received from the Azure portal as presented in the previous tutorial.
• code - The authentication code received from the previous sign-on authentication request.
• redirect_uri - The same URL used in the previous sign-on authentication request. Azure AD service will use it to help validate the authentication code.
• grant_type - Specify "authorization_code" to receive "id_token".
• client_secret - A secret key created defined in Azure AD application ID registration.

Note that the end point for the access token request is different that the authentication request. You need to look it up from the metadata document. Usually, the two end points have different path endings:

Version   Request          End Point

v2.0      Authentication   .../common/oauth2/v2.0/authorize
v2.0      Access Token     .../common/oauth2/v2.0/token
v1.0      Authentication   .../common/oauth2/authorize
v1.0      Access Token     .../common/oauth2/token

⇒ Initiate Azure AD v2 Access Token Request

⇐ Validate Azure AD v2 id_token Signature

⇑ Azure AD Integration v2.0

⇑⇑ OpenID Tutorials