Reputation: 359
Azure Authentication - Access Token returning wrong AUD(00000003-0000-0000-c000-000000000000)
I'm trying to authenticate with API Management in Azure through OAuth. I've set up that piece fine. However from the response, the aud(00000003-0000-0000-c000-000000000000) is invalid from the access token. Any suggestions/ideas to get the accurate aud in access_token.
Upvotes: 9
Views: 13253
Answers (2)
Reputation: 143
You have mistaken the values.
TL;DR: ignore "access token", obtain and read "id token" and verify that "aud" field is your client ID.
First you might obtain a single-use access code (likely something like 0.ABC). Optionally you could fetch open id token. "scope" must include "openid"
Then you can fetch actual open id token using the single-use code. "scope" must be "openid" again. Response might include:
- access token - which can be anything including random number of characters, string, your full details or an JWT; I believe that Microsoft returns JWT which is meant to the "00000003-0000-0000-c000-000000000000" audience (meaning "only 00000003-0000-0000-c000-000000000000 can use it - ignore if you are NOT the one")
- id token - which is an JWT and should contain your application ID (client ID) in the "aud" field
Always check the "aud" as this says who is the token created for. If it is not you - the token is not for you.
Upvotes: 5
Reputation: 16074
I tried to reproduce the same in my environment and got the results like below:
I generated the access token with the same aud as you and got the validation error:
I agree with juunas, To authenticate with API Management in Azure through OAuth, make sure to pass the scope while generating the access token.
I created an Azure AD Application, exposed an API and added scope like below:
Added API permissions like below:
To resolve the error, make sure to pass scope as api://AppID/.default.
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:api://ee1782a6-a994-4013-a396-XXXXX/.default
grant_type:client_credentials
A valid access token to access APIM will be generated like below:
To pass the particular scope from react app using MSAL you can make refer the below sample code:
auth: {
authority: "https://login.microsoftonline.com/common",
clientId: "ClientID",
postLogoutRedirectUri: RedirectURI
redirectUri: RedirectURI
validateAuthority: true,
navigateToLoginRequestUrl: true,
},
cache:
{ cacheLocation: 'sessionStorage',
storeAuthStateInCookie: true,
},
},
{
scopes: ['api://clientid/.default']
},
LoginType.Redirect
References:
OAuth 2.0 Authorisation with the Client Credentials Flow on Azure API Management by Paco de la Cruz
Connect React App with Azure AD using react msal by Ray
Upvotes: 4
Related Questions
- Azure AD Authentication and Authorization React.js
- Getting access token from Azure AD from React frontend
- Azure AD B2C Not getting Access Token
- Azure Access Token react-aad-msal
- Azure AD error when fetching access token & login
- Azure Graph API giving error "Auth token does not contain valid permissions or user does not have valid roles"
- Cannot authenticate: Azure authentication in React app
- .NET 5 API and React UI authentication using Azure AD B2C - Bearer error="invalid_token", error_description="The signature is invalid"
- Azure AD authentication, giving error unauthorized_client for react, .Net core web api project
- 401 Error accessing Azure AD protected API with react-adal