Reputation: 14426
Azure AD Audience / Resource
I am converting my .net core application from using ADFS to AzureAD, I have managed to get it all working but don't understand some of the configuration.
The final error that I resolved was this:
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience '00000002-0000-0000-c000-000000000000' is invalid"
If I change my Audience in startup (AddJwtBearer) to 00000002-0000-0000-c000-000000000000 it all worked.
The thing is, I have no idea what this identifier relates to, searching through everything in Azure there's no mention of this code.
The closest thing was in the manifest which had a code starting with 00000003
What is this id relating to?
Upvotes: 0
Views: 1620
Answers (2)
Reputation: 9569
00000002-0000-0000-c000-000000000000 is AAD Graph API, if you use it as an audience, then you will get AAD Graph token.
00000003-0000-0000-c000-000000000000 is Microsoft Graph API, if you use it as an audience, then you will get MS Graph token.
Upvotes: 1
Reputation: 474
Referring to the error "The audience '00000002-0000-0000-c000-000000000000' is invalid"
Scenario: Usually when trying to use the access token with the management.azure.com endpoint, This kind of error message pops up.
Reason for that is it was missing the Resource=https://management.azure.com resource URL
Solution: Add https://management.azure.com and add the app registration to the IAM.
Upvotes: 1
Related Questions
- Is it possible to add multiple audiences to AAD bearer token?
- AzureAD Authentication: Audience validation failed. Audiences Did not match
- Architecture Azure AD Resource Groups
- Azure active directory - Allowed token audiences
- Azure AD me profile
- Azure AD Scopes with different audiences
- Active Directory groups and roles
- Azure B2C Groups
- Using Windows Azure Active Directory for Public Users
- Azure using enterprise Active Directory