Tokens

ID Tokens

  • These tokens are valid for 1 hour and prove authentication (that a user has authenticated to a resource/application). The token contains information including verification details around who the user is.

  • ID tokens differ from access tokens, which serve as proof of authorization. Confidential clients should validate ID tokens. You shouldn't use an ID token to call an API.

  • Can be used for authentication, but typically not used for that.

ID Token Displayed

Access Tokens

  • Valid for 1 hour, these tokens grant access to resources and are used for authorization

  • These tokens embed information around who the user is and what specific resource the access is intended for. As you can see from the decoded access token below – the token has the scope graph.microsoft.com via the client (application) Microsoft Office.

  • CAN BE STOLEN

Access Token Decoded

Refresh Tokens (An Attacker’s Buffet)

  • Refresh tokens are a type of bearer token that can be redeemed by an application to fetch a new set of “bearer tokens”. Since access tokens have a lifetime of 1 hour, this is where the utility of a refresh token comes in for the attacker. These tokens can be used continually within the lifetime of 90 days to obtain new access tokens. Given this power, refresh tokens are typically the primary target for attackers as it grants them up to 90 days of continual access to a specific resource / application.

Primary Refresh Tokens

Valid for 14 days, these refresh tokens are used for single sign-in (SSO) across applications used on the device and contain two additional details embedded in them:

  • Device ID: This field identifies the device where the PRT resides on

  • Session Key: Acts as a proof of possession when the PRT obtains tokens for other applications

  • Conditional Access policies are not evaluated when PRTs are issued. Therefore, if an attacker steals a PRT, it will automatically satisfy device-based conditional access policies.

Last updated