Share via

on-behalf-of-flow

贾海锋 306 Reputation points
2022-10-13T07:59:06.447+00:00

Microsoft Learn: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow ![250017-image.png][1] [1]: /api/attachments/250017-image.png?platform=QnA https://blogs.aaddevsup.xyz/2019/08/understanding-azure-ads-on-behalf-of-flow-aka-obo-flow/ my question is, if web api 1 is graph api, web api 2 is sharepoint online rest api. it will failed. error message is "AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client:

Microsoft 365 and Office | SharePoint | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. CarlZhao-MSFT 46,376 Reputation points
    2022-10-14T08:00:54.413+00:00

    Hi anonymous user

    The graph APIs cannot be used as middle-tier APIs, and the web api 1 in question should be the application in the tenant that has APIs exposed. Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2022-10-13T10:18:15.683+00:00

    anonymous user Thank you for reaching out to us. As I understand you are getting AADSTS50013 error while using on-behalf-of-flow.

    AADSTS50013 means the public key was found in Azure AD however the public key and certificate was not able to verify the signature of the token.

    There are two scenarios for this.

    Scenario 1: Target audience "aud claim" is meant for someone else
    if the issue is with a access token and the audience is not for the application itself, for example the access token audience is for Microsoft Graph.

    "aud": "<https://graph.microsoft.com>" or "00000003-0000-0000-c000-000000000000"

    or a different API that is not yours, this is expected and your application Is not supposed to consume or validate the access token as the access token is meant for the target audience.

    In that case you need to validate the user has access to your application before making a call to the target API, you should first get a access token for your application and then acquire another token for the target API or you simply want to pull information from the token like a user display name or groups, then use the identity token. Don't use the access token for this purpose.

    You can also refer to these post where similar issue has been discussed:
    https://learn.microsoft.com/en-us/answers/questions/899134/key-was-found-but-use-of-the-key-to-verify-the-sig.html
    https://learn.microsoft.com/en-us/answers/questions/1018163/teams-auth-ms-graph-in-java.html?childToView=1019000#answer-1019000

    Let me know if you have any further questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.