I'm trying to create a webapp to authentify Xbox users on my service by using login.live.com and I want to use a nonce like in the msal java code example provided in the documentation.
In their example, they redirect the user to login.microsoftonline.com to retrieve an access code and request provide a nonce generated on the server which is also accepted when adding it in the login.live.com redirection. The problem comes when retrieving an access token on the server side which is normally in a JWT format holding the nonce which is true when using login.microsoftonline.com.
In the current situation my request for the access is a POST request with the url: https://login.live.com/oauth20_token.srf and with header Content-Type: application/x-www-form-urlencoded and body:
{
"client_id": MY_CLIENT_ID,
"client_secret": MY_SECRET,
"code": access_code
"grant_type": authorization_code
"redirect_uri": https//localhost:8443/auth/callback
}
and as answer I receive something like bellow where I cannot parse the "access_token" using JWT to retrieve a nonce:
{
"token_type": "bearer",
"expires_in": 3600,
"scope": "XboxLive.signin XboxLive.offline_access",
"access_token": "EwAwA+pvBA...",
"refresh_token": "M.R3_BL2.-...",
"user_id": "AA.."
}
So, if I'm missing anything like if I need to use specific scopes, if it just not possible or there are other ways to do it, please help
I tried to reproduce the same in my environment
https://login.live.com/oauth20_authorize.srf?client_id=c46xxxx50cf6b692038&scope=https://graph.microsoft.com/.default&response_type=code&redirect_uri=https://localhost:xxx/auth/callbackBut only got nonce parameter when
https://login.microsoftonline.com/organizations/oauth2/v2.0/tokenis given as endpoint.Also , try giving random nonce value
https://login.microsoftonline.com/<tenantName>/oauth2/v2.0/authorize?client_id=<appID_of_your_client_application>&nonce=anyRandomValue&redirect_uri=<redirect_uri_of_your_client_application>&scope=<your scope>&response_type=codeThen nonce parameter can be seen in token