Reputation: 4174
Issuer is Invalid when calling ASP.NET Core 2.2 from Angular 7 (MSAL)
ASP.NET Core 2.2 Application with Azure AD B2C (using URL Endpooint v2.0):
I configured my core application as follows AppSettings.js:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/tfp",
"ClientId": "{ClientIdGuid}",
"Domain": "{Subdomain}.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1_SignUpSignInDevelopment"
}
Startup:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
.AddAzureADB2CBearer(o => Configuration.Bind("AzureAdB2C", o));
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseAuthentication();
app.UseMvc(o=>{o.MapRoute(name:"d",template:"{controller}/{action=Index}/{id?}");});
}
My Angular 7 client uses MSAL with the following settings:
MsalModule.forRoot({
clientID: environment.azureB2CClientID,
authority: "https://" + environment.azureTenantIDSubdomain + ".b2clogin.com/tfp/" +
environment.azureTenantIDSubdomain + ".onmicrosoft.com/" +
environment.azureSignUpSignInPolicyId + "/v2.0",
redirectUri: environment.schemeAndAuthority + "/home",
validateAuthority: false,
cacheLocation : "localStorage",
postLogoutRedirectUri: environment.schemeAndAuthority + "/",
popUp: false
}),
which when calling the APIs generates this Bearer JWT:
"exp": 1547479156,
"nbf": 1547475556,
"ver": "1.0",
"iss": "https://{Subdomain}.b2clogin.com/{Guid1}/v2.0/",
"sub": "{Guid2}",
"aud": "{Guid3}",
"nonce": "{Guid4}",
"iat": 1547475556,
"auth_time": 1547475556,
"oid": "{Guid5}",
"tfp": "B2C_1_SignUpSignInDevelopment"
And my .well-known looks like this: https://login.microsoftonline.com/tfp/{Subdomain}.onmicrosoft.com/B2C_1_SignUpSignInDevelopment/.well-known/openid-configuration
{
"issuer": "https://login.microsoftonline.com/{ClientGuid}/",
"authorization_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/authorize",
"token_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/token",
...
}
Whenever I am calling my [Authorize] protected API Controler (ASP.NET Core 2.2), I am getting 401:
www-authenticate: Bearer error="invalid_token", error_description="The issuer is invalid"
I realized that the Issuer in the .well-known is different than that of the generated Bearer JWT. But I have not set the issuer on Angular side nor on the Azure AD B2C side.
Is this problem caused by different issuers on Angular and Azure AD B2C sides? And if so, which issuer should I change and how?
Upvotes: 3
Views: 4560
Answers (1)
Reputation: 14724
You must ensure the issuer domains are consistent for both the client application and the API application; otherwise, the client application is issued an access token for one issuer domain and the API application is validating it for another issuer domain.
You are using {tenant}.b2clogin.com for the client application and login.microsoftonline.com for the API application.
I suggest you use {tenant}.b2clogin.com for both.
Upvotes: 9
Related Questions
- Invalid issuer in discovery document expected: angular-oauth2-oidc with Azure B2C
- CORS error with MSAL, Angular and ASP.NET Core
- acquireTokenSilent with angular and microsoft msal fails with AADB2C90077 / AADB2C90205
- 'MSAL' : issuer is invalid
- Angular msal_angular with ASP.NET Core Web API returns invalid token invalid signature AzureAD
- "Authorization failed. AuthenticationScheme: AzureADJwtBearer was challenged" in ASP.NET Core 3.1 Web API - 401 Unauthorized
- MSAL/B2C error: 'Secure Connection Failed' AFTER getting valid ID token
- Msal undefined in Angular 4.5 Service for Azure B2C authentication
- OAuthService wrong issuer error (angular-oauth2-oidc)
- IdentityServer4 invalid_token "The issuer is invalid" on Azure, working on localhost