Easy trick to test your Azure Active Directory returned ID Tokens

2021-03-07

The other day I was trying to troubleshoot an issue where I needed to know what the content of an ID token coming from AAD was for a mobile application. The application was setup to use code flow with PKCE and using fiddler to troubleshoot this didn’t work since AAD is protected with SSL pinning so trying to have fiddler be the man in the middle didn’t work out. It helped me figuring out what request was sent to the server but not the content of the response.

There is a simple trick you can do if you can modify the application registration in the Azure Active Directory portal so you can quickly see what the content of the ID token is.

Go to your app registration blade. Open the application you are working on and click authentication on the left side of your screen. In my case I only had Mobile and desktop applications listed so I clicked on + Add a platform. Select Web.

And add https://jwt.ms (it needs to be https) as redirect URI and select the ID tokens.

What you do here is tell Azure Active Directory it’s OK for this app to ask AAD to send the ID token back to that specific web address if asked, and the checkbox allows the application to use implicit flow, which we need for this to work.

Now the last step is to construct a specif URI so you are to sign-in to your AAD account and the resulting ID token will be send to jwt.ms for you to inspect.
TENANTID needs to be your directory or tenant ID. This tells AAD you want to sign-in that specific tenant.
CLIENTID is the Application (client) ID of your application.
reponse_type tells AAD it needs to send back an ID token.
redirect_uri tells AAD where to send back the ID token to. Since we added jwt.ms as redirect URI in the app registration, AAD is OK doing this when we ask for it in this request. Otherwise you would have seen an error (that’s a good thing!)
scope tells AAD what information you want to return, profile allows your firstname and lastname to be returned, email your email address etc. By default the ID token is kept small to prevent to much traffic going over the wire.
The rest is all needed info but made up with random stuff so it works.

So copy paste the following URI and modify it with your TENANTID and CLIENTID.

https://login.microsoftonline.com/TENANTID/oauth2/v2.0/authorize?client_id=CLIENTID&response_type=id_token&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid%20profile%20email&response_mode=fragment&state=12345&nonce=678910

That’s it. If you are now clicking on that link, you sign in with whatever is configured for your users and the result will be display on jwt.ms (click the link to see an example)

Happy debugging