Use OpenID scopes instead of custom API scopes
- Change frontend scopes from api://{client_id}/.default to
openid, profile, email for simpler authentication
- Update backend token validation to expect ID token format:
- Audience: client_id (not api://{client_id})
- Issuer: v2.0 endpoint
This avoids requiring Application ID URI setup in Azure AD.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
michael
parent
cc2c68bb02
commit
5b9e824da9
2 changed files with 7 additions and 5 deletions
|
|
@ -99,12 +99,14 @@ async def verify_access_token(token: str) -> Optional[dict]:
|
|||
return None
|
||||
|
||||
# Verify and decode the token
|
||||
# For ID tokens with OpenID scopes, audience is the client ID
|
||||
# and issuer uses the v2.0 endpoint
|
||||
claims = jwt.decode(
|
||||
token,
|
||||
rsa_key,
|
||||
algorithms=["RS256"],
|
||||
audience=f"api://{settings.AZURE_CLIENT_ID}",
|
||||
issuer=f"https://sts.windows.net/{settings.AZURE_TENANT_ID}/",
|
||||
audience=settings.AZURE_CLIENT_ID,
|
||||
issuer=f"https://login.microsoftonline.com/{settings.AZURE_TENANT_ID}/v2.0",
|
||||
)
|
||||
|
||||
logger.info(f"Token verified for user: {claims.get('name', 'unknown')}")
|
||||
|
|
|
|||
|
|
@ -41,12 +41,12 @@ export const msalConfig: Configuration = {
|
|||
};
|
||||
|
||||
// Scopes for the access token
|
||||
// Using .default for single-tenant apps to get all configured API permissions
|
||||
// Using basic OpenID scopes for authentication
|
||||
export const loginRequest: PopupRequest = {
|
||||
scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
|
||||
scopes: ['openid', 'profile', 'email'],
|
||||
};
|
||||
|
||||
// Scopes for API calls (same as login for this app)
|
||||
export const apiTokenRequest = {
|
||||
scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
|
||||
scopes: ['openid', 'profile', 'email'],
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue