This article demonstrates how you can obtain and inspect access and OpenID connect tokens without using Magnolia when your identity provider is Entra (Azure AD / AAD). All the basic settings will work as they should, and you won’t have to do as much troubleshooting as before.
You should have configured your OpenID Connect application on Entra and the groups claim has been added to the token payload. Moreover, testing happens on your local machine.
In this text, I am going to use Postman. The tool has convenient functions for testing your configuration.
Entra application configuration
On the Entra configuration side, the only thing you need to do is add an appropriate redirect URI for the Postman test.
There are several options:
- It’s possible to use an existing redirect URL (like http://localhost:8080/magnoliaAuthor).
- You can also add a redirect URL for localhost (http://localhost).
- When you want to use your browser to execute the test, you can use a URI provided by Postman (https://oauth.pstmn.io/v1/callback).
Complete application setup
Postman
Obtaining configuration values
In Entra, there is a link called Endpoints in the overview of your application configuration, where you can see relevant endpoint configurations.
The OpenID Connect protocol requires a public URL for the OpenID Connect metadata document. You can also find this URL in the Endpoints dialog.
For Entra, this URL usually looks like this URL:
https://login.microsoftonline.com/{{your-tenant-id-or-name}}/.well-known/openid-configuration
Test the URL in a browser and it should give a good result. The result data has options for connecting your application to Entra using the OpenID Connect protocol.
Postman token configuration
Create a new collection in Postman and then open the tab Authorization. Select OAuth 2.0 from the drop-down menu, then select Configuration Options, and fill in the necessary values.
| Option | Hint | Example |
|---|---|---|
| Token Name | Arbitrary name | |
| Callback URL | Defined in Entra | http://localhost (see above) |
| Auth URL | Auth endpoint | https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/authorize |
| Access Token URL | Token endpoint | https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/token |
| Client ID | Entra App ID | 5b5ffb6c-f62e-43e5-b646-d3b782a1c03d |
| Client Secret | Entra Client Secret | TLm8Q |
| Scope | openid profile email | |
| State | Security feature | {{$randomInt}} |
The values for
- Callback URL (redirect URI)
- Client ID (application ID)
- Client Secret
- Scope
are needed for Magnolia SSO configuration.
Test token retrieval
Click on Get New Access Token and enter your Entra login information. If everything went well, you should have received your fresh token.
The next screen displays the token.
You can use this token to access other features on Entra, but we’re done testing now because we know it works.
Authorize using browser
You can take the test using your browser. When using this approach, you might get detailed information for troubleshooting. The redirect URI for Postman must be defined in your Entra application configuration (https://oauth.pstmn.io/v1/callback).
Check token content
You may have configured Entra to deliver group membership information in the payload of your ID token. A decoder can be used to display the content. See https://jwt.io.
Note that group membership data is added to the id_token. Be sure to copy the correct token value before verifying the payload.
Group membership looks like:
"groups": [
"ac5db011-28d6-4738-8f3b-b84b52c41a56",
"3bf13aad-eead-44ee-b666-ba9669a5b120"
],
Entra does not send group names, only IDs.
The access token can be used to resolve the names using the MS Graph API, but this requires a distinct article.
Additionally, bear in mind that the callback URL / redirected URL may differ when employing the Magnolia SSO module.
Token generation problems
If you receive errors while executing the steps above, keep on fixing them until you finally receive a valid ID token. The whole process should not be continued with Magnolia SSO until it works.
