Azure Authentication - Access Token returning wrong AUD(00000003-0000-0000-c000-000000000000)

Prathap Dasari 45 Reputation points
2023-10-16T20:37:59.5166667+00:00

I'm currently working on setting up authentication for our API Gateway in Oracle Cloud. To achieve this,
I'm configuring OAuth, and the authentication mechanism involves Azure Active Directory (Azure AD) integration.

Unable to validate the signature of my access token return by azure ad. In the access token it is showing "aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/mytentid.
How to change my aud and issuer and version in the access token to validate the signature. or any other alternative to validate the token with "aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/mytenentid.

It is working fine postman but it is failing with 401 (Unauthorized) but then checking the access token in the jwt.io it's show that Invalid Signature along with above mention aud .

Please assist me to understand the problem here

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

Accepted answer
  1. Navya 20,100 Reputation points Microsoft External Staff Moderator
    2023-10-20T12:37:52.82+00:00

    Hi Prathap Dasari,

    I would like to know which flow you are referring OAuth code flow or client-credential flow?

    1.OAuth code flow used when the client application needs to access the user’s resources on behalf of the user. In this flow, the user is redirected to the authorization server, where they authenticate and grant permission to the client application. The authorization server then returns an authorization code to the client application, which is exchanged for an access token that can be used to access the user’s resources. For this flow we need openid,offline_access,profile

    2.Where Client-credential flow used when the client application needs to access its own resources, rather than the resources of a user. In this flow, the client application sends its own credentials (client ID and secret) to the authorization server, which returns an access token that can be used to access its own resources./.default scope allows the application to request all the permissions defined in its Azure AD app registration.

    As you provided code snippet you are passing API//{ApplicationID}/.default scope which means you are referring client-credential flow. But under const token request block you mention scope as user.read and mail.read which referring authorization code flow. To use the client-credential flow, need to remove this block. User's image

    For browser-based application, you need user interaction for which you require authorization code flow. In this case, need to remove /.default scope.

    Thanks,

    Navya.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.