In this post,
AAD token: Why aud sometimes shows app id, sometimes it's the app url?
I learn why the aud field in AAD token is sometimes app id, sometimes app url. They seems depend on what you put as resource when requesting token.
But, while I'm experimenting requesting an AAD token for a SPA website with app url (the SPA website's AAD app url), it returns AAD error - AADSTS90009.
AADSTS90009: Application '' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
See this post for related discussion.
OAuth 2.0 and Azure Active Directory - error AADSTS90009
I'm curious, what is the main reason behind this error?
Why it cannot support app url as resource identity?
If you are leveraging AAD and you get a token where aud claim contains:
a Uri - it means you are dealing with access_token and the Uri
represents Service Principal Name (read 'unique identifier') of the resource application your client application wants to access.
a Guid - it means you are dealing with id_token and the value corresponds to ObjectId of that app which acquired the token.
Related
The azure app service provided an URL in such format https://your-app-name.azurewebsites.net
When Expose an API in azure app registration the Application ID URI is needed. But when I use the url provided by the azure app service I got the following error:
Values of identifierUris property must use a verified domain of
the organisation or its subdomain: https://your-app-name.azurewebsites.net
the URL provided by the app service is not a verified domain? and how can I make it verified?
Application ID URI is an identifier that can be used instead of the client ID when specifying a scope defined in that app.
It has nothing to do with authentication redirect URIs, where it would need to match your app hosting.
Agree with juunas and this is just additional description. Screenshot below contained the error you met and one of the supported App ID URI pattern.
I'm afraid that the reason for exposing API is that you want to protect your web API with Azure AD. The App ID URI here is used for the authorization. Your web app also requires to configure the audience, then after you integrate Azure AD authorization into your application, the scope, the audience and other claims containing in the incoming access token will all be verified. I have a sample which is based on a web api. You can see the configuration for Azure AD authorization.
And https://your-app-name.azurewebsites.net is for authentication which used for redirect from microsoft identity platform back to your own web app. The scenario can be opening your own web page which requiring user to sign in --> redirect to microsoft sign in page --> sign in then redirect back to your web page. So we need to identify the redirect URL in Azure AD.
I am facing the below issue, when an Azure Government cloud user is trying to access an web app hosted in Azure commercial cloud. I confirm that the reply url is present in the app registration
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '7c528ed8-8f39-4efe-8ac2-c5a6d108def7'.
This error occurs when the redirect_uri in the authentication request doesn't match with the redirect uri registered in the App registration. When you access the web application, you get redirected to https://login.microsoftonline.com/... url.
Below is an example of authentication request, where the redirect_uri is https://jwt.ms, which must match with the redirect uri registered under app registration.
https://login.microsoftonline.com/your_tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=574c674d-xxxx-xxxx-xxxx-xxxxxxxxxxxx&response_type=code&redirect_uri=https://jwt.ms&state=1234&response_mode=fragment&scope=https://graph.microsoft.com/.default
If you still face any issues, please share the Correlation ID, Request ID and Timestamp that you are getting along with the error and I will try to track the information in our backend database for you.
Our application is an Angular SPA with ASP.Net Core Web API. The identity is provided by Microsoft Identity Platform (Azure AD) and authentication is provided by the same. The authorization is done in Web API basis "Application Roles". These "Application Roles" are held in the Azure AD directory (defined in the Application's manifest and assigned on the tenant domain to users).
The Angular SPA receives the tokens from Azure, as per these instructions. The relevant tokens that are issued are: an AccessToken for my Web API (following these instructions), an AccessToken for calling Graph API (following the same instructions) and an IdToken that includes the "Application Roles" as roles claim (this id token seems to be included automatically once roles have been assigned).
The problem I face is that I need to pass concurrent tokens to my Web API, but with the HTTP interceptor I can only include 1 token in the header request. For example, I need the first AccessToken to proof authentication to the Web API and I need to include the IdToken such that the Web API can perform authorization.
Q: How can I call my Web API with multiple tokens, when these tokens are all issued to the SPA and need to be included in the HTTP call to my Web API?
No matter whether you want to get Microsoft Graph data, the way you used to get Application role is incorrect.
An id token cannot be used to perform authorization for your Web API application. You have to use access token. See this answer to learn about the usage of id token and access token.
So you have to use an access token rather than id token.
In this case, you configure the app roles in the Azure AD app which represents Angular SPA (the front).
In fact, you should configure the app roles in the Azure AD app which represents ASP.Net Core Web API (the backend). Then you can get the "Application Roles" as roles claim in the AccessToken for your Web API.
I have an app service say https://blahablah.azurewebsites.net to which I have hosted an ASP. Net web api project(An api that returns list of to do items by GET request), so that I can access the API without any authentication using https://blahablah.azurewebsites.net/api/TodoItems as i had TodoItems as my controller.
Now when I create an Azure AD and set Advanced Authentication of the app service; I can't access the api on the previous endpoint; When I use postman with the client id, secret, auth and token endpoints, it says my redirect URL is not valid;
So what should be my redirect URL? How can i successfully send a GET request from POSTMAN?
Update 1: My endpoints were wrong, and I corrected it to login.microsoftonline.com instead of login.microsoft.com, so I'm getting the access token, but when I'm sending a get request to above api with that token in header, it still says 401 unauthorised.
And i'm using redirect url as https://www.getpostman.com/oauth2/callback
Update 2: Here is my configuration
1)I have 2 AAD apps: blahablahAAD aap and PostmanAAD app
2)For app service, blahablah i use the first AAD app thru Express authentication of Azure Active Directory;
3)I have made https://blahablah.azurewebsites.net/api as the first AAD app's Application ID URI, and hence am able to expose https://blahablah.azurewebsites.net/api/TodoItems with TodoItems as scope.
4)I have added the API to "API permissions" of the first AAD app; (uptil now it works well in browser asking me for login and then taking me to the endpoint;)
5) For the PostmanAAD, I use it's client id,secret in Postman and get the token; I send it as request header to API;but it failss
6) I have added PostmanAAD's client id in "Expose API->add client application" of blahablahAAD.
7) I have done step 4 for PostmanAAD also
8) I have granted admin consent to all in default directory.
Note: I haven't added any authorization related code to my ASP .NET web api project that i hosted as app service, but i believe i can access it without writing code(as in AAD will do the task for me).
Set resource url as the guid of the azure ad app instead of application id url.
Click azure ad app and choose Application Id in Overview.
I have a 2.0 Azure AD application (registered a BF bot), and I have set up an app ID URI so my users can use it as the aud for auth token.
I could use the the app ID URI to get an JWT token successfully, however the token's aud is not the app ID URI, but the APP ID. Is this the expected behavior?
Tried the same thing with old Azure AD applications and the token had the app ID URI as aud. Actually, if I change the "accessTokenAcceptedVersion" property from 2 to null, the 2.0 Azure AD app would work too.
This is very confusing why did such change made to the new version. Is this by intention so the app should always validate that the aud is the app ID?
I check all type tokens (no old Azure AD app). For now, only the audience of MS graph API and Azure AD graph API is the app ID URI, for others almost is app ID/client id.