"401 Unauthorized : The audience is invalid" Error with Azure AAD for .Net Core APIs

PinkeshPatel
June 8, 2022
382 views
1 vote
2 Answers

Azure AD by default generates Application URI in below format.

api://<<Client_Id>>

but When you change Application URI with "https://xyz.onmicrosoft.com/<<Client_Id>>" and the token generated using Auth Code Grant or Client Credential flow, if passed to API for Authorization, you will get below error.

WWW-Authenticate: Bearer error="invalid_token", error_description="The audience ‘https://xyz.onmicrosoft.com/<<Client_Id>>’ is invalid"

Tags: azure azure-active-directory

Answers

Chosen as BEST ANSWER
- PinkeshPatel
- June 8, 2022 at 7:03 am
- 0 votes
0
To solve this, AppSettings should be added as mentioned below,
```
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xyz.onmicrosoft.com",
    "TenantId": <<Tenant_Id>>,
    "ClientId": <<Client_Id>>,
    **"Audience": "https://xyz.onmicrosoft.com/<<Client_Id>>"**
  }
```
Note: If you are using default URI then Audience is not required but with custom Application URI, Audience needs to be added.

(Edit)

- dockernet
- March 14, 2023 at 9:42 pm
- 0 votes
0
In my application config file I had to set Audience to Application ID URI (api://myapp.com) and when fetching a token in Insomnia resource had to be set TO the same Application ID URI

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.