🔍 Azure OIDC Debug Tool

See exactly what Azure sends back during OpenID Connect login — including app roles.

What this does: Performs a raw OIDC flow (no Socialite) and displays every token and claim Azure returns. Specifically, it requests an ID token where your app roles should appear.

Your Configuration

Tenant ID eff9c4da-84d4-473e-a5ce-df20fb35ca28
Client ID 6bc3da96-f4e3-4fff-b6ad-51589b1069ae
Redirect URI https://flowdebug.communify.org.au/callback
Client Secret configured (hidden)

What This Will Request

response_type code id_token
response_mode form_post
scope openid profile email User.Read
endpoint v2.0 (oauth2/v2.0/authorize)
⚠️ Azure Requirement: For response_type=code id_token to work, you must enable "ID tokens" in Azure Portal → App Registration → Authentication → Implicit grant and hybrid flows.
🚀 Raw OIDC Login Flow 🔮 Socialite Login Flow

What's the difference?

Raw OIDC Manual OAuth flow requesting code + id_token. Shows exactly what Azure returns including app roles in the ID token.
Socialite Uses Laravel Socialite's Azure driver. Shows what your actual app sees — and where roles get lost.

OpenID Configuration

From: https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/v2.0/.well-known/openid-configuration

View full OpenID configuration 
{
    "token_endpoint": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/oauth2/v2.0/token",
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "private_key_jwt",
        "client_secret_basic",
        "self_signed_tls_client_auth"
    ],
    "jwks_uri": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/discovery/v2.0/keys",
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "code id_token",
        "id_token token"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "offline_access"
    ],
    "issuer": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/v2.0",
    "request_uri_parameter_supported": false,
    "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
    "authorization_endpoint": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/oauth2/v2.0/authorize",
    "device_authorization_endpoint": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/oauth2/v2.0/devicecode",
    "http_logout_supported": true,
    "frontchannel_logout_supported": true,
    "end_session_endpoint": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/oauth2/v2.0/logout",
    "claims_supported": [
        "sub",
        "iss",
        "cloud_instance_name",
        "cloud_instance_host_name",
        "cloud_graph_host_name",
        "msgraph_host",
        "aud",
        "exp",
        "iat",
        "auth_time",
        "acr",
        "nonce",
        "preferred_username",
        "name",
        "tid",
        "ver",
        "at_hash",
        "c_hash",
        "email"
    ],
    "kerberos_endpoint": "https://login.microsoftonline.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/kerberos",
    "mtls_endpoint_aliases": {
        "token_endpoint": "https://mtlsauth.microsoft.com/eff9c4da-84d4-473e-a5ce-df20fb35ca28/oauth2/v2.0/token"
    },
    "tls_client_certificate_bound_access_tokens": true,
    "tenant_region_scope": "OC",
    "cloud_instance_name": "microsoftonline.com",
    "cloud_graph_host_name": "graph.windows.net",
    "msgraph_host": "graph.microsoft.com",
    "rbac_url": "https://pas.windows.net"
}