Reputation: 4702
The Access Token Has Been Obtained For the Wrong Audience
I'm trying to CRUD Logic App workflows programmatically using the REST API. To do so, I need a JWT attached in the Authorization header of each request.
I'm trying to set up access between our Azure AD and our Logic App to allow for these operations but cannot seem to get the token to authenticate.
For resources there is:
- Logic App
- App Registration with a client id/secret
I've generated an application ID api://X and have used that to generate a token with this request:
grant_type: client_credentials
client_id: myClientId
client_secret: myClientSecret
scope: api://X/.default
audience: https://management.azure.com
POSTing to:
https://login.microsoftonline.com/app_guid_here/oauth2/v2.0/token
which successfully creates a token, but not one that is accepted. When decoding the token, the aud field is the application ID GUID, which throws the following error when using it to PUT a workflow CRUD operation to the LogicApp REST API:
{
"error": {
"code": "InvalidAuthenticationTokenAudience",
"message": "The access token has been obtained for wrong audience or resource 'api://X'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'."
}
}
I'm certain that I've missed something here, I'm very new to managing identity this way so frankly I'm a little lost.
Have I missed a step allowing access to the management API via the app registration? Do I need to add extra permissions elsewhere?
Frankly all I need is a way to generate these JWTs to authorize requests to the Management API, the specific setup to do so is moot.
Upvotes: 1
Views: 3442
Answers (1)
Reputation: 2069
What you can do is register the resource in the azure ad and acquire the tokens from the azure ad and then pass them to the desired resource.
Here we need a
tenetidandclientidfor acquiring the tokens. Now you can get both the id from the portal the tenent id will be displayed under basic info and the client id will be under the register app section.
using msal for python:
from msal import PublicClientApplication
import sys
client_id = '<client-id>'
tenant_id = '<tenant-id>'
scopes = [ '2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default' ]
app = PublicClientApplication
(
client_id = client_id,
authority = "https://login.microsoftonline.com/" + tenant_id
)
acquire_tokens = app.acquire_token_interactive
(
scopes = scopes
)
Thus after registering your app in azure ad you can get the tokens which can authenticate any registered azure resource including apim.
Reference: getting azure ad tokens using msal
how to get client id and tenent id
Upvotes: 1
Related Questions
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Getting "Failed to Fetch" in result view of Azure Logic App
- Logic app managed identity with Microsoft Graph API gives error "Insufficient privileges to complete the operation"
- Azure Logic App: Azure VM Connector - InvalidAuthenticationTokenTenant
- In Azure logic app i am getting DirectApiAuthorizationRequired
- Access token validation failure. Invalid audience
- Error 403 on access to AD User from Azure Logic App
- Azure Logic Apps HTTP Unauthorized
- Http request failed as there is an error getting AD OAuth token: 'AADSTS50001: The application named https://management.azure.windows.net
- Unable to generate Oauth Authorization Code in Logic App