Reputation: 17562
Azure Active Directory, Allowed Token Audiences doesnt appear to do anything
I have Azure AD B2C, and am I using it to secure an Azure Function. Users authenticate with the Azure Function by providing a JWT Bearer Token for authorization in the header.
This all works correctly.
I have now tried to apply the Allow Token Audience in the Authentication / Authorization configuration panel.
I had thought Allow Token Audience would validate the audience (aud) claim of my JWT token - which for my JWT token matches my Client Id.
This does not appear to be the case. All the values I supplied for Allow Token Audience are incorrect, but users are still successfully authenticated.
How is Allow Token Audience supposed to be used?
Upvotes: 4
Views: 3620
Answers (1)
Reputation: 1620
Per the comments, the issue seems to be that the client ID is accepted as an audience. This is expected behavior. App Service always allows the client ID and the base site URL (yoursite.azurewebsites.net) as valid audiences. The "Allowed token audiences" option is meant to provide additional audiences, such as if you were using a custom domain, etc.
This is certainly confusing. There are probably UX improvements that could communicate this better (info balloon, list entries that can't be removed, etc.).
Upvotes: 2
Related Questions
- Azure AD B2C - Token validation does not work
- Azure active directory - Allowed token audiences
- "authentication failed due to: jwt audience is invalid" with Azure AD
- Invalid audience claim in token The JSON Web Token (JWT) used as a token does not have the correct audience. Ensure you are using the correct token
- passport-azure-ad: Why am I getting "jwt audience is invalid"?
- Azure AD B2C Graph API 401 Unauthorized
- AzureAD JWT Token Audience claim prefix makes JWT Token invalid
- Azure Active Directory tokens missing App Roles in JWT
- Why is an Azure permission missing from the scopes of my JWT token?
- Missing application permission scopes in Azure AD JWT token