V2.0 for applications that support consumer accounts. The following example shows a v1.0 token (the keys are changed and personal information is removed, which prevents token validation): eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9.eyJhdWQiOiJlZjFkYTlkNC1mZjc3LTRjM2UtYTAwNS04NDBjM2Y4MzA3NDUiLCJpc3MiOiJodHRwczov元N0cy53aW5kb3dzLm5ldC9mYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTUyMjIyOS8iLCJpYXQiOjE1MzcyMzMxMDYsIm5iZiI6MTUzNzIzMzEwNiwiZXhwIjoxNTM3MjM3MDA2LCJhY3IiOiIxIiwiYWlvIjoiQVhRQWkvOElBQUFBRm0rRS9RVEcrZ0ZuVnhMaldkdzhLKzYxQUdyU091TU1GNmViYU1qN1hPM0libUQzZkdtck95RCtOdlp5R24yVmFUL2tES1h3NE1JaHJnR1ZxNkJuOHdMWG9UMUxrSVorRnpRVmtKUFBMUU9WNEtjWHFTbENWUERTL0RpQ0RnRTIyMlRJbU12V05hRU1hVU9Uc0lHdlRRPT0iLCJhbXIiOlsid2lhIl0sImFwcGlkIjoiNzVkYmU3N2YtMTBhMy00ZTU5LTg1ZmQtOGMxMjc1NDRmMTdjIiwiYXBwaWRhY3IiOiIwIiwiZW1haWwiOiJBYmVMaUBtaWNyb3NvZnQuY29tIiwiZmFtaWx5X25hbWUiOiJMaW5jb2xuIiwiZ2l2ZW5fbmFtZSI6IkFiZSAoTVNGVCkiLCJpZHAiOiJodHRwczov元N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMjIyNDcvIiwiaXBhZGRyIjoiMjIyLjIyMi4yMjIuMjIiLCJuYW1lIjoiYWJlbGkiLCJvaWQiOiIwMjIyM2I2Yi1hYTFkLTQyZDQtOWVjMC0xYjJiYjkxOTQ0MzgiLCJyaCI6IkkiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJsM19yb0lTUVUyMjJiVUxTOXlpMmswWHBxcE9pTXo1SDNaQUNvMUdlWEEiLCJ0aWQiOiJmYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkiLCJ1bmlxdWVfbmFtZSI6ImFiZWxpQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJGVnNHeFlYSTMwLVR1aWt1dVVvRkFBIiwidmVyIjoiMS4wIn0.D3H6pMUtQnoJAGq6AHd V1.0 for Microsoft Entra-only applications. Web APIs have one of the following versions selected as a default during registration: These versions determine the claims that are in the token and make sure that a web API can control the contents of the token. There are two versions of access tokens available in the Microsoft identity platform: v1.0 and v2.0. It doesn't apply to tokens issued for Microsoft-owned APIs, nor can those tokens be used to validate how the Microsoft identity platform issues tokens for a registered API. See the following sections to learn how an API can validate and use the claims inside an access token.Īll documentation on this page, except where noted, applies only to tokens issued for registered APIs.
This data allows the application to do intelligent caching of access tokens without having to parse the access token itself. This information includes the expiry time of the access token and the scopes for which it's valid. When the client requests an access token, the Microsoft identity platform also returns some metadata about the access token for the consumption of the application. Tokens that a Microsoft API receives might not always be a JWT that can be decoded.Ĭlients should use the token response data that's returned with the access token for details on what's inside it. For validation and debugging purposes only, developers can decode JWTs using a site like jwt.ms. The contents of the token are intended only for the API, which means that access tokens must be treated as opaque strings. These proprietary formats that can't be validated might be encrypted tokens, JWTs, or special JWT-like. Microsoft-developed APIs like Microsoft Graph or APIs in Azure have other proprietary token formats.
The format of the access token can depend on the configuration of the API that accepts it.Ĭustom APIs registered by developers on the Microsoft identity platform can choose from two different formats of JSON Web Tokens (JWTs) called v1.0 and v2.0.
Some identity providers (IDPs) use GUIDs and others use encrypted blobs. Per the OAuth specification, access tokens are opaque strings without a set format.
Web APIs use access tokens to perform authentication and authorization. Access tokens enable clients to securely call protected web APIs.
0 kommentar(er)
