Azure Authentication - Access Token returning wrong AUD(00000003-0000-0000-c000-000000000000)

Question

Azure Authentication - Access Token returning wrong AUD(00000003-0000-0000-c000-000000000000)

Prathap Dasari 45

I'm currently working on setting up authentication for our API Gateway in Oracle Cloud. To achieve this,
I'm configuring OAuth, and the authentication mechanism involves Azure Active Directory (Azure AD) integration.

Unable to validate the signature of my access token return by azure ad. In the access token it is showing "aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/mytentid.
How to change my aud and issuer and version in the access token to validate the signature. or any other alternative to validate the token with "aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/mytenentid.

It is working fine postman but it is failing with 401 (Unauthorized) but then checking the access token in the jwt.io it's show that Invalid Signature along with above mention aud .

Please assist me to understand the problem here

Navya 20,180 Reputation points Microsoft External Staff Moderator

2023-10-17T12:36:23.55+00:00

Hi @Prathap Dasari , Thanks for reaching us.

I understand you are facing an issue with validating the signature of an access token returned by Azure AD. The access token is showing "aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/mytentid". You want to know how to change the "aud" and "iss" values in the access token to validate the signature or any other alternative to validate the token with "aud": "00000003-0000-0000-c000-000000000000", "iss":"https://sts.windows.net/mytenentid". As you mentioned that the access token is working fine in Postman but failing with 401 (Unauthorized) when used in their API Gateway in Oracle Cloud. You have also checked the access token in jwt.io and found that it shows "Invalid Signature" along with the above-mentioned "aud" value.

I have tried to reproduce the same in my environment. To authenticate with API Management in Azure through OAuth, pass the scope while generating the access token. To resolve the error, make sure to pass scope as api://AppID/.default.Follow the below steps:

1.Configure an application to expose a web API

Go to your azure Ad application ->select Expose an API ->click on add a scope (you can use the default value of api://<application-client-id>) provide required fields -> click on add scope.

2.Add permissions to access your web API

Azure AD application ->Select API Permissions -> Add a permission
-> My APIs ->Select the web API you registered as part of the scope name (search with application_id it will shows scopes) -> select delegated permissions -> click on add permissions ->As an admin, you can also grant consent on behalf of all users, so they're not prompted to do so.

Provide the below required details to get access token.

replace the scope as api://{yourapplicationid}/.default

You will be getting access token. To validate signature use www.jwt.io your signature will be verified successfully, and you can see aud value as api:// {your ClientID}

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please remember to "Accept Answer" if answer helped you.
Prathap Dasari 45 Reputation points

2023-10-17T13:21:55.19+00:00

Thank you so much for your reply, Navya!

Actually, it is working fine with Postman when using the Oracle API Gateway. However, when attempting to access the same API using JavaScript and MSAL, it doesn't work in the browser. I've created an API in the app registration and added it to my code, but the issue persists. The access token is being generated with this value: "00000003-0000-0000-c000-000000000000.
decoded in jwt.io tool with access token. attached the screenshot for references.
Prathap Dasari 45 Reputation points

2023-10-17T14:10:32.25+00:00

Unfortunately I commented below. Please check once
Prathap Dasari 45 Reputation points

2023-10-17T14:11:54.3066667+00:00

Unfortunately, I commented below . Please check my response.
Philippe Signoret (Microsoft) 406 Reputation points Microsoft Employee

2023-10-17T22:05:07.34+00:00

Can you share how you're obtaining the access token in the first place? The identifier "00000003-0000-0000-c000-000000000000" is Microsoft Graph, which suggests that you're not actually requesting an access token to your service.

Prathap Dasari 45

Hi, I've just shared that obtaining the access token.
FYI, I've modified the code according to our requirements, and it's now set up to download data from Microsoft Graph.

// Create the main myMSALObj instance
// configuration parameters are located at authConfig.js
const myMSALObj = new msal.PublicClientApplication(msalConfig);

const UserDiv = document.getElementById("User");
const TokenDiv = document.getElementById("token");

let username = "";

function selectAccount() {

    /**
     * See here for more info on account retrieval: 
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md
     */

    const currentAccounts = myMSALObj.getAllAccounts();
    if (currentAccounts.length === 0) {
        console.info(" no accounts detected.");
        return;
    } else if (currentAccounts.length > 1) {
        // Add choose account code here
        console.warn("Multiple accounts detected.");
    } else if (currentAccounts.length === 1) {
        username = currentAccounts[0].username;
        console.info(" 1 account detected:" + username);
         
    }
}

function handleResponse(response) {

    /**
     * To see the full list of response object properties, visit:
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response
     */

    if (response !== null) {
        console.log("Signin response")
        console.log(response );
        username = response.account.username;
        UserDiv.innerHTML = `Hie ${username}`;
        getToken();
        
    } else {
        selectAccount();
    }
}


function handleTokenResponse(response) {

    /**
     * To see the full list of response object properties, visit:
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response
     */

    if (response !== null) {
        console.log("Token response")
        console.log(response );
        console.log("Access token: " + response.accessToken);
        TokenDiv.innerHTML = `Access token: ${response.accessToken}`;
        
        /* load global var */
        globalToken=response.accessToken;
        
    } else {
         console.log("No response ...in handleToken response" );
    }
}



function signIn() {

    /**
     * You can pass a custom request object below. This will override the initial configuration. For more information, visit:
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request
     */

    myMSALObj.loginPopup(loginRequest)
        .then(handleResponse)
        .catch(error => {
            console.error(error);
        });
}

function signOut() {

    /**
     * You can pass a custom request object below. This will override the initial configuration. For more information, visit:
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request
     */

    const logoutRequest = {
        account: myMSALObj.getAccountByUsername(username),
        postLogoutRedirectUri: msalConfig.auth.redirectUri,
        mainWindowRedirectUri: msalConfig.auth.redirectUri
    };

    myMSALObj.logoutPopup(logoutRequest);
}

function getTokenPopup(request) {

    /**
     * See here for more info on account retrieval: 
     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md
     */
    request.account = myMSALObj.getAccountByUsername(username);
    
    return myMSALObj.acquireTokenSilent(request)
        .catch(error => {
            console.warn("silent token acquisition fails. acquiring token using popup");
            if (error instanceof msal.InteractionRequiredAuthError) {
                // fallback to interaction when silent call fails
                return myMSALObj.acquireTokenPopup(request)
                    .then(tokenResponse => {
                        console.log(tokenResponse);
                        return tokenResponse;
                    }).catch(error => {
                        console.error(error);
                    });
            } else {
                console.warn(error);   
            }
    });
}

function getToken() {
    getTokenPopup(loginRequest)
        .then(response => {        
            handleTokenResponse(response);
        }).catch(error => {
            console.error(error);
        });
}


selectAccount();

Navya 20,180 Reputation points Microsoft External Staff Moderator

2023-10-30T11:43:09.11+00:00

Hi Prathap Dasari ,

Did you get a chance to look into above solution?

Accepted answer

0 additional answers

Your answer

Prathap Dasari 45 Reputation points

2023-10-17T13:21:55.19+00:00

Thank you so much for your reply, Navya!

Actually, it is working fine with Postman when using the Oracle API Gateway. However, when attempting to access the same API using JavaScript and MSAL, it doesn't work in the browser. I've created an API in the app registration and added it to my code, but the issue persists. The access token is being generated with this value: "00000003-0000-0000-c000-000000000000.
decoded in jwt.io tool with access token. attached the screenshot for references.
Prathap Dasari 45 Reputation points

2023-10-17T14:10:32.25+00:00

Unfortunately I commented below. Please check once
Prathap Dasari 45 Reputation points

2023-10-17T14:11:54.3066667+00:00

Unfortunately, I commented below . Please check my response.
Philippe Signoret (Microsoft) 406 Reputation points Microsoft Employee

2023-10-17T22:05:07.34+00:00

Can you share how you're obtaining the access token in the first place? The identifier "00000003-0000-0000-c000-000000000000" is Microsoft Graph, which suggests that you're not actually requesting an access token to your service.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2023-10-30T11:43:09.11+00:00

Hi Prathap Dasari ,

Did you get a chance to look into above solution?

Answer 1

Hi Prathap Dasari,

I would like to know which flow you are referring OAuth code flow or client-credential flow?

1.OAuth code flow used when the client application needs to access the user’s resources on behalf of the user. In this flow, the user is redirected to the authorization server, where they authenticate and grant permission to the client application. The authorization server then returns an authorization code to the client application, which is exchanged for an access token that can be used to access the user’s resources. For this flow we need openid,offline_access,profile

2.Where Client-credential flow used when the client application needs to access its own resources, rather than the resources of a user. In this flow, the client application sends its own credentials (client ID and secret) to the authorization server, which returns an access token that can be used to access its own resources./.default scope allows the application to request all the permissions defined in its Azure AD app registration.

As you provided code snippet you are passing API//{ApplicationID}/.default scope which means you are referring client-credential flow. But under const token request block you mention scope as user.read and mail.read which referring authorization code flow. To use the client-credential flow, need to remove this block. User's image

For browser-based application, you need user interaction for which you require authorization code flow. In this case, need to remove /.default scope.

Thanks,

Navya.

Share via

Azure Authentication - Access Token returning wrong AUD(00000003-0000-0000-c000-000000000000)

0 additional answers

Your answer