Manually Using Fiddler to Authenticate (Part II – Actual Walkthrough)

In this second part of Manually Using Fiddler to Authenticate I’ll use a combination of web browser and fiddler to request both an authorization code and then an access token for the Azure Active Directory I setup in an earlier post. This is going to follow the workflow covered in this MSDN document.

There are a couple of things I’ll need before I start:

– The tenant id of the AAD that I’m going to be signing into. This can be the actual id (eg e688d594-8643-4bdf-9e4c-0be8bcbc645f which you can see in the address bar when editing information via the Azure portal eg or the domain:

– The Client Id of the application I setup for the native client (remember that I’m effectively simulating the workflow that my native clients will go through, so it makes sense to use that AAD application)


– The redirect uri that was defined in the AAD application for the native client. When we actually come to use this process in the native client we will of course have to determine the native clients redirect uri and add that to the AAD application but for the timebeing I’ll use the value I specified when setting up the AAD application:


NOTE: I need to make sure that I appropriately url encode any query string parameters (there are plenty of web based converters – I use this URL decoder/encoder), so in this case the redirect uri will need to be specified as follows:

Putting this all together we can generate the url for requesting an authorization code Navigating to this url via a web browser will prompt the user to sign in using the standard aad sign in prompt


After signing in the user will be redirected to the redirect uri, in this case with the authorization code specified in the address eg

The next step is to request an access token. Now remember that this access token should be one that has permissions to access the Mobile Service I setup. As such, when requesting the access token I need to specify the Mobile Service as the resource I want to have access to. Here are the attributes I need for the access token request.

client_id=a5a10ee9-f871-4bde-997f-3f1c323fefa5                <—
same as previous request
code=AAABAAAAvPM1KaP———–_WR3JtQ_Ig1xIAA      <—truncated for brevity 
resource=    <—
the Mobile Service APP ID URI specified in the AAD application setup for the Mobile Service
redirect_uri=     <—the same redirect uri used in the authorization code request

Putting this all together into a POST request that I can issue in Fiddler:

Content-Type: application/x-www-form-urlencoded

What I get back from this request is a JSON response


The response gives a number of return values which can be used for a variety of things, one of which is the unassigned JSON Web Token which you can explore using tools such as


1 thought on “Manually Using Fiddler to Authenticate (Part II – Actual Walkthrough)”

  1. Nice presentation of the article. The words are properly used, and supported by the snippets. Encoding the URL or string is important. Sometimes a little mistake becomes the hurdle in the implementation of the project. For that, You also check that tool, providing more functionality in that sense.


Leave a comment