Receiving Failure message: IDX10214: Audience validation failed. when trying to authenticate a client App to a service App

Question

Here's my situation:

• I have a client web application (angular2) using msal-angular and a .net core 2.2 Web API service.
• I've registered both the client and the service in Azure AD. I added the client to the knownClientApplications array in the service app manifest.
• I'm able to successfully get tokens that appear to have all of the claims I need to properly authenticate

When trying to access an endpoint with the token retrieved by the client I'm seeing the following error in the debug output of my service:

Failure message: IDX10214: Audience validation failed. Audiences: 'client App ID'. Did not match: validationParameters.ValidAudience: 'service App ID' or validationParameters.ValidAudiences: 'null'.

I suspect that if I were to ditch the client App ID and just use the service App ID in the client as well things would probably work fine, but that doesn't seem correct.

Should I just set validationParameters.ValidAudiences? If so, how do I do that? The pertinent section of my startup.cs shows:

services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
        .AddAzureADBearer(options => Configuration.Bind("AzureAD", options));

Or, is there something I need to change in my client-side msal-angular configuration to tell it I need the token audience to reflect my service app id?

Answer 1

The scope in you client web application should be Application ID URL/.default

api://691af574-47f6-4b8e-b544-b75ec4387938/TodoListService/.default

You can find this in web api application.