Question 104042 in Azure Question posted in
The official documentation to get you started can be found here.

Invalid Token in .NET 6 with Azure AD using Client Credentials

I have a .NET 6 API that I am trying to access using a token from Azure using client credentials but am receiving an error when passing the token in via an API call:

error="invalid_token" but there is no description.

This looks very similar to:

.NET 6 Problem: Bearer error="invalid_token"
Invalid JWT bearer token on .net 6.0 web api

However, adding the mentioned packages did not resolve the issue. All NuGet packages are up to date.

Looking at the logs in Kestrel, there does not appear to be any real error:

info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 6.25.1.0.....
      IDX10242: Security token: *** has a valid signature.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: '*'
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10245: Creating claims identity from the validated token: '***'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10241: Security token validated. token: '*'.

IMPORTANT: If I change the token request from ‘client credentials’ to ‘Authorization Code’ it works perfectly and the token is accepted (after I login with a named user account).
I have triple checked the client ID and secret, and they are correct.

For the name of the scope in the token request, I am using the URL of the application with /.default as the suffix.

In the Azure side, I have two app registrations: one for the API and one for the client.
On the API app registration, I added the client’s client ID with applicable scopes to the ‘Authorized Client Applications" section within the "Expose and API" section.

I am receiving the same error using both Postman and Swagger as the front end client.

Not sure what else to look for here, or exactly where the issue lies (code vs. Azure setup).

Any suggestions would be greatly appreciated.

Thanks in advance.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The issue was in the configuration of MS Azure. I needed to add an App Role on the API app registration and grant consent to the new role for the organization. From there, I added that role in the API Permissions section of the Client App registration and again granted consent. Everything worked as expected after a few minutes.


  2. 0

    If you protect your API using AddJwtBearer, then you can enable this flag:

    .AddJwtBearer(options => 
{
        options.IncludeErrorDetails = true;
        ...
}

    If you enable it, then you will get a response header with a bit more details about why the token was not accepted, like:

    HTTP/1.1 401 Unauthorized
Date: Sun, 02 Aug 2020 11:19:06 GMT
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search