401 Error: IDX40001 Token Issuer is invalid where does the guid come from in the issuer string

Question

Consistently received 401 error when calling a simple ping webapi. Finally determined that the issuer being returned in my token was not being recognized during the authorization process.

I added the issuer from the token to my webapi configuration as the 'Authority' and my webapi completed successfully. My fear is this value changes in the future. The GUID in the string is a value I can not locate any where in AZURE AD or AZURE AD B2C.

Can you provide insight into how the issuer is created and where the GUID value comes from.

Answer 1

Hello @Henry Petersen and thanks for reaching out. In Azure AD B2C, for every user flow the issuer claim is created using the tenant Id. Check the following documentation to Get your tenant ID. Also, B2C supports two issuer/authority formats, changing it could yield the IDX40001 error. For more information on how to change and ensure the same value take look to Token compatibility settings.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Answer 2

I finally googled the GUID and it turns out when 'Multitenant Login or personal Microsoft accounts' option is selected as the answer for who can use this API, the issuer will be the MSA tenant if the email is associated to a Microsoft account.

The GUID in questions represents MSA tenant (Microsoft accounts)

https://learn.microsoft.com/en-us/answers/questions/408510/in-which-cases-the-application39s-appownerorganiza.html