Hi Harald,
Thanks you very much again!
It does work! So, when my javasctipt (based on masl.js) client is asking for scope ["api://app_id/access_as_user","user.read"] - the received token contains expected aud and can be validated by server - which is good and it's actually what I'm trying to get! BTW the token is different and contains less information when asking scope ["api://app_id/access_as_user","user.read"].
But now I have a different problem with authentication itself. The user logged and the token received, but flow can't continue - when the client is asking scope ["api://app_id/access_as_user","user.read"] - getting back from Azure response: Your browser is currently set to block cookies. You need to allow cookies to use this service. Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser. - I do use cookies in my chrome and didn't block it ever.
The order of scopes is also changing behavior
["user.read", "api://app_id/access_as_user"] - looks like ignored access_as_user scope, because the token contains again "aud": "00000003-0000-0000-c000-000000000000" and login works, but token can't be validated.
May be I still missing something? May be I need to write different validation method - now I'm using some example using Appreciate if you have any suggestion.
Validation method
IdentityModelEventSource.ShowPII = true;
string token_access_token_NOT_GOOD = "";
string myTenant = "AD-ID";
var myAudience = "Client-ID"; //https://graph.microsoft.com/.default
var myIssuer = String.Format("https://login.microsoftonline.com/{0}/v2.0", myTenant);
var mySecret = "zzz";
var mySecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(mySecret));
var stsDiscoveryEndpoint = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}/.well-known/openid-configuration", myTenant);
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
var config = await configManager.GetConfigurationAsync();
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidAudience = myAudience,
ValidIssuer = myIssuer,
IssuerSigningKeys = config.SigningKeys,
ValidateLifetime = false,
IssuerSigningKey = mySecurityKey ,
RequireExpirationTime = false
};
var validatedToken = (SecurityToken)new JwtSecurityToken();
// Throws an Exception as the token is invalid (expired, invalid-formatted, etc.)
tokenHandler.ValidateToken(token_access_token_NOT_GOOD, validationParameters, out validatedToken);
Console.WriteLine(validatedToken);
Console.ReadLine();
Thanks,
Evgeny