IDX10503: Signature validation failed with Microsoft Graph and Azure AD

Question

I have an ASP.NET Core WebApi which uses Azure AD Bearer Tokens (passed by the Frontend, acquired using adal.js).
Currently, we are using the Azure AD Graph API and everything works fine.
As recommended by Microsoft, we would like to migrate from Azure AD Graph API to Microsoft Graph.

I changed the audience from https://graph.windows.net to https://graph.microsoft.com both in the API and Frontend. I can successfully acquire a token, which looks almost the same as the old one when decrypted in jwt.io, but when I pass it to the API I get:

Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey

Did I miss something? As far as I know, it should be possible to sign in using the Microsoft Graph, right?

Answer 1

If I understood correctly, you have configured your API audience as the MS Graph API audience. You should not do this. Firstly MS Graph API access tokens are bit special and you should not try to validate them, secondly because your API is not MS Graph API.

Your front-end should acquire an access token for your API. This requires you to configure your API audience as either its client id or Application ID URI (or both). Azure AD allows the front-end to acquire the token using either of those. The API can then exchange that for an MS Graph API token using the On-Behalf-Of flow.