CODEWITHSUNDEEP
azureazure-active-directoryazure-ad-graph-apiazure-authentication
olivier
olivier

Reputation: 205

Azure AD Identity authentication error : IDX10214: Audience validation failed

I have an .net core 5 api that I want to protect using Azure AD, and then call it from a console app. So my case is only service-to-service authentication. I registered both the apps to Azure AD an then gave the permission to the console app on the api using App roles. I succeeded to retrieve a token for the console app passing the right scope :

static async Task Main(string[] args)
{
     var app = ConfidentialClientApplicationBuilder
                .Create(<MY_CONSOLE_APP_ID>)
                .WithClientSecret(<MY_CONSOLE_APP_CLIENT_SECRET>)
                .WithAuthority(new Uri($"https://login.microsoftonline.com/<MY_TENANT_ID>"))
                .Build();
            
            
      var result = await app.AcquireTokenForClient(new String[]
                {
                    "api://<MY_API_APP_ID>/.default"
                })
                .ExecuteAsync();
}

Then in the Startup class of the API, I added the following code :

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(Configuration, "AzureAd");

and in the appsettings.json I defined the required settings:

"AzureAd": {
    "ClientId": "<MY_API_APP_ID>",
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "<MY_TENANT_ID>"
}

Then I marked a controller as [Authorize] but when I call one of its endpoint I get the following error :

{
    "code": 401,
    "message": "IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'."
}

I also tried to prefix the clientId by api:// but got the same error. I decoded the token to ensure the audience was correct and it seems ok since I have "aud": "api://<MY_API_APP_ID>"

Do you have an idea of what I am missing ?

Upvotes: 3

Views: 13351

Answers (1)

kavya Saraboju
kavya Saraboju

Reputation: 10831

Whatever code provided looks good. Make sure the Audience config matches the "aud" claim in the access token. As that part of code is not provided here, you may be missing an entry of audience in code configuration under services.AddAuthentication(… Please check if you have given audience entry in any of these ways .

1

.AddJwtBearer(options =>
         {
              options.Authority = "";
          //options.Audience = Configuration["Audience"];

};

(or) 2

.AddJwtBearer(options =>
            {
                options.Audience = clientId;
                options.Authority = authority;
            })

(or) 3)

 .AddJwtBearer(options =>
                     {
                        options.Authority = "";
                        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
    //here you give required valid audiences
    
            ValidateIssuer = true,
            ValidAudiences = new List<string> 
            {
                "AUDIENCE1",
                "AUDIENCE2" 

            }

or valid audiences can be like below in place of AUDIENCE1 or 2.

        ValidAudiences = new List<string> 
        {
          Configuration["Authentication:ClientId"]
        }

The aud (audience) should match your API's id, and make sure required scopes are present .If these are fine , then check if the token you are trying to validate is ID token or Access token .It differs for API and graph api.

Upvotes: 2

Related Questions