Reputation: 55
Bearer Token from Microsoft has invalid signature
I want to implement a client credential flow with Azure. I have registered two apps in Azure(MyApi and MyClient). The app from myClient sends a POST-request to MS to get the token. I send a request with this token to the Rest-API server. The answer is always 401 Unauthorized - Baerer error="invalid_token" error_description="The signature is invalid".
This is my setup in Azure:
MyApi
Client ID: client_id_MyApi
Tenant ID: tenant_id
Application ID URI: api://MyApi
API-Permissions: Microsoft.Graph -> User.Read
Expose an API -> Scopes: api://MyApi/accessAsUser App roles: accessAsApplication
MyClient
Client ID: client_id_MyClient Tenant ID: tenant_id
Api-Permissions: Microsoft.Graph -> User.Read, MyApi -> accessAsApplication
Config of the REST-API Server:
Program.cs
...
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{
o.Audience = client id of MyClient;
o.Authority = "https://login.microsoftonline.com/tenenat_id/";
o.IncludeErrorDetails = true;
});
...
FooController.cs
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Route("Foo")]
[HttpPost]
public async Task Foo()
{
await Task.Delay(1000);
Console.WriteLine("!!!!!!!!!!!!!!!");
}
Post-Request to get a token from Microsoft:
https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token HTTP/1.1
POST-Body:
grant_type=client_credentials&client_id=client_id_MyClient&client_secret=mysecret&scope=https://graph.microsoft.com/.default
Upvotes: 1
Views: 464
Answers (1)
Reputation: 16139
Note that: Microsoft Graph API token is not meant to be validated that is the aud
https://graph.microsoft.comas it is not meant for the application.
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
When I decoded the access token, I got Invalid Signature error:
Hence you can avoid validating the access token for Microsoft Graph API.
You can validate the access token for your own API or application:
scope: api://ClientID/.default
Now I am able to validate the access token:
Reference:
spring security - Verify Signature with Azure AD - Stack Overflow by junnas
Upvotes: 1
Related Questions
- Sending the bearer token with axios
- What is the OAuth 2.0 Bearer Token exactly?
- Can I use a token issued to one application with another application in Azure AD SSO?
- Which scope use to get the access token for Microsoft credential
- How to get JWT Token from Azure multi-tenant application?
- Angular - Bearer token not sent in request header on API calls
- .NET 5 API and React UI authentication using Azure AD B2C - Bearer error="invalid_token", error_description="The signature is invalid"
- How To Generate A Token For Delegated Permissions (Microsoft Graph)
- Bearer token works with ADAL, does not work with MSAL