How to fix AADSTS501461 when logging into SPA

Question

How to fix AADSTS501461 when logging into SPA

Milos@Signum 0

We have a more or less standard setup in Microsoft Entra with:

One application registration which exposes an API with two scopes
One application registration with SPA platform which has permissions to the API exposed by the first application
Each of above apps have corresponding Enterprise application allowing anyone with a tenant account to use the applications.
None of the apps above have any app roles.

Our Ocelot API Gateway auth is configured, using the API app registration's ClientId with JWT bearer authentication schema.


builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();

Our Angular frontend is configured to use the SPA app registration with corresponding scopes as protected resources (we use @azure/msal-angular 3.0.23).

This setup was working fine for couple of years until this Friday, where we suddenly begun getting below error in our frontend app when requesting a token from the oauth2 token endpoint (https://login.microsoftonline.com/.../oauth2/v2.0/token):

    "error": "invalid_request",
    "error_description": "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key...",
    "error_codes": [501461],
    "timestamp": "2024-10-27 12:11:02Z",
    "trace_id": "...",
    "correlation_id": "..."
}

This happened after conducting test on a SPA Microsoft Entra app by first adding additional App Owner and later on first by manually removing and than adding user assignment under the Users and groups tab.

Has anyone got any idea how this can occur?
Many thanks

Milos@Signum 0 Reputation points

2024-10-27T13:25:12.92+00:00
In addition to above, it is worth mentioning that above problem occurs on our CI environment, while everything works as usual on UAT environment.
All environments are provisioned with IaC pipelines, hence the only difference between these two is done by manual actions to SPA app, described above (i.e. to add additional owner and to add/remove user assignment).
Further on,

Every user has the same issue while trying to login to SPA app

We have tried using Chrome, Edge and Firefox as well as after clearing browser cookies and cache
Bhasker Donthu 945 Reputation points Microsoft External Staff

2024-11-19T04:46:57.3233333+00:00

Hello @Milos@Signum,

Hope you are doing well!

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Bhasker Donthu 945 Reputation points Microsoft External Staff

2024-11-20T03:59:21.51+00:00

Hello @Milos@Signum,

Hope you are doing well!

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

1 answer

Your answer

Milos@Signum 0 Reputation points

2024-10-27T13:25:12.92+00:00

In addition to above, it is worth mentioning that above problem occurs on our CI environment, while everything works as usual on UAT environment.
All environments are provisioned with IaC pipelines, hence the only difference between these two is done by manual actions to SPA app, described above (i.e. to add additional owner and to add/remove user assignment).
Further on,

Every user has the same issue while trying to login to SPA app

We have tried using Chrome, Edge and Firefox as well as after clearing browser cookies and cache
Bhasker Donthu 945 Reputation points Microsoft External Staff

2024-11-19T04:46:57.3233333+00:00

Hello @Milos@Signum,

Hope you are doing well!

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Bhasker Donthu 945 Reputation points Microsoft External Staff

2024-11-20T03:59:21.51+00:00

Hello @Milos@Signum,

Hope you are doing well!

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Answer 1

Hello @Milos@Signum,

Thank you for posting your query on Microsoft Q&A.

Understood that you're encountering the error "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains." This error indicates an issue with the token's audience claim requested by your Single Page Application (SPA).

It can occur for several reasons, especially after changes to the application registration, like adding app owners or modifying user assignments.

Here are few approaches to troubleshoot and resolve the issue:

1.Verify Application Registration Settings:

· Ensure the API app’s Application ID URI matches the resource identifier requested by the SPA.

· Confirm the SPA app is requesting the correct API scopes (formatted as api://<client-id>/<scope-name>).

2.Check Token Configuration:

· In the API app’s “Token configuration,” verify the audience claim and ensure optional claims are set correctly without conflicts.

3.User Assignment:

· Confirm users are assigned to the SPA app if required and have the necessary permissions in the “Users and groups” section.

4.Review Conditional Access Policies:

· Check for policies that could block access or alter claims; ensure users meet all conditions, like MFA or device compliance.

5.Compare CI and UAT Environments:

· Identify discrepancies in configurations, permissions, or assignments between CI and UAT environments.

6.Check for Azure AD Changes:

· Review recent changes in Azure AD (e.g., app owner adjustments or user assignments) that may affect the app registration. Check audit logs for any clues.

7.Testing with Different Users:

· Test with multiple users to determine if the issue is user-specific or affects all users.

8.Recreate the App Registration:

· As a last resort, recreate the app registration for both the SPA and API to eliminate any potential misconfigurations.

I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Share via

How to fix AADSTS501461 when logging into SPA

1 answer

Your answer