GUITACA BLOGS
Blogs from our authors

Office 365: The best recipes for developers
Gustavo Velez
Learn more and buy
Return to Blogs
Decoding the Graph TokenGustavo Velez
How to decode the Azure AD Token used to work with Microsoft Graph10-09-2020
Graph

Before calling a Microsoft Graph API, any application must ask access from the Microsoft Identity Platform (Azure Active Directory, AAD). When the access is granted, a Token is issued containing information about the application and the allowed permissions. The process requires that the application is registered with the Microsoft identity platform and authorized to access the Microsoft Graph resources.

Access Tokens contain information used to validate the caller, for how long the access is permitted, and ensure that the caller has the appropriate permissions. The Token is issued in JWT (JSON Web Token) format, which is an open Internet standard for creating data with optional signature and encryption. The tokens are signed either using a private secret or a public/private key.

A JWT Token delivered by AAD is an object containing the following information:

The access_token contains the encoded token that should be used to require access to Graph. If necessary, the token can be decoded to review its information. Use the following routine, for example, to retrieve the information in a readable way:

        static void DecodeToken(string ADToken)
        {
            JwtSecurityTokenHandler myHandler = new JwtSecurityTokenHandler();
            JwtSecurityToken myToken = myHandler.ReadToken(ADToken) as JwtSecurityToken;
            
            string firstRole = myToken.Claims.First(clm => clm.Type == "roles").Value;

            foreach (System.Security.Claims.Claim oneClaim in myToken.Claims)
            {
                Console.WriteLine(oneClaim.Type + " - " + oneClaim.Value);
            }
        }

Install the NuGet Microsoft.IdentityModel.JsonWebTokens in the Visual Studio Solution, that contains all the references to work with JwtSecurityTokenHandler and JwtSecurityToken.

The Token contains a section with Claims. The firstRole variable recovers the first claim in the array van Claims.

The foreach loop walks through all the claims and shows the type and its value.

Return to Blogs