I have set up a backend-app, client-app and OAuth server in API Manager pretty much according to example. Currently the OAuth server and both app registrations are set up to use v2 endpoints. Currently the default scope
of the OAuth server is set to api://<backend-app client ID>
. This is also the value of the audience
tag in validate-jwt
policy. I have no required-claims
in the validate-jwt
policy. For each change in config I re-authorize in the test console try-it modal.
It seems like no matter how much I fiddle with the parameters, the aud
claim of the token received by the developer portal test console is "aud": "00000003-0000-0000-c000-000000000000",
.
What am I doing wrong?
EDIT:
I realized I have to publish changes to the developer portal. I was also wrongly assuming that I needed no scope in the API, since I am developing an API that is to be called by a daemon app only (using app roles). After setting a test scope in the app registrations, granting admin consent, and publishing the developer portal, the token carries the correct aud
claim. I still get 401 however, but assume that is a different question.
2
Answers
During my initial attempts I failed to do two things:
The reason for not setting a scope beyond the default scope of the API App reg., was that the API is intended being called by a daemon app only. Unless I misunderstand things further, calling a protected API from the developer test portal requires a delegated permission (scope), because the developer authorizes interactively upon fetching the OAuth token.
NB! Not answering question directly, but I had to remove
api://
part of<audience>
definition in JWT-validate policy for token to be authorized. Using 2.0 endpoint.I have added OAuth 2.0 as shown below-
Add Authorization code grant flow URL in Authorization of your registered app.
Then I enabled OAuth 2.0 in API’s setting.
Added
validate-jwt
policy.I tested this configuration in portal before trying it in developer portal by providing the bearer token manually in the request header and it worked.
Trace–
Try to test it in portal first before moving to Developer portal and if you get any error then check in Trace.