skip to Main Content

I’m trying to authenticate with API Management in Azure through OAuth. I’ve set up that piece fine.
However from the response, the aud(00000003-0000-0000-c000-000000000000) is invalid from the access token.
Any suggestions/ideas to get the accurate aud in access_token.

2

Answers


  1. I tried to reproduce the same in my environment and got the results like below:

    I generated the access token with the same aud as you and got the validation error:

    enter image description here

    enter image description here

    I agree with juunas, To authenticate with API Management in Azure through OAuth, make sure to pass the scope while generating the access token.

    I created an Azure AD Application, exposed an API and added scope like below:

    enter image description here

    Added API permissions like below:

    enter image description here

    To resolve the error, make sure to pass scope as api://AppID/.default.

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    client_id:ClientID
    client_secret:ClientSecret
    scope:api://ee1782a6-a994-4013-a396-XXXXX/.default
    grant_type:client_credentials
    

    A valid access token to access APIM will be generated like below:

    enter image description here

    To pass the particular scope from react app using MSAL you can make refer the below sample code:

    auth: { 
    authority: "https://login.microsoftonline.com/common",
    clientId: "ClientID",
    postLogoutRedirectUri: RedirectURI
    redirectUri: RedirectURI
    validateAuthority: true,
    navigateToLoginRequestUrl: true,
    },
    cache:
    { cacheLocation: 'sessionStorage',
    storeAuthStateInCookie: true,
    },
    },
    {
    scopes: ['api://clientid/.default']
    },
    LoginType.Redirect
    

    References:

    OAuth 2.0 Authorisation with the Client Credentials Flow on Azure API Management by Paco de la Cruz

    Connect React App with Azure AD using react msal by Ray

    Login or Signup to reply.
  2. You have mistaken the values.

    TL;DR: ignore "access token", obtain and read "id token" and verify that "aud" field is your client ID.

    First you might obtain a single-use access code (likely something like 0.ABC). Optionally you could fetch open id token. "scope" must include "openid"

    Then you can fetch actual open id token using the single-use code. "scope" must be "openid" again. Response might include:

    • access token – which can be anything including random number of characters, string, your full details or an JWT; I believe that Microsoft returns JWT which is meant to the "00000003-0000-0000-c000-000000000000" audience (meaning "only 00000003-0000-0000-c000-000000000000 can use it – ignore if you are NOT the one")
    • id token – which is an JWT and should contain your application ID (client ID) in the "aud" field

    Always check the "aud" as this says who is the token created for. If it is not you – the token is not for you.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search