Claim value mismatch: aud=xxxx-480e-b6bf-xxxxxx.

Question

General setup: Azure Function - API Management - client app
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis

If I disable required claims/JWT authentication - everything works.

I created a client app with client id xxx-xxxxx-e2601bd81840 and secret.
I created app registration for API Management and exposed an endpoint. The client app has permissions for default endpoint:

(mind there is no dot in /.default, not sure if it matters)

I can authenticate using client id and secret and receive a Bearer Token:

Decoded, the Bearer Token shows :
"iss": "https://login.microsoftonline.com/Tenant-ID/v2.0",
"aud":"xxxx-480e-b6bf-xxxxxx"

But when I try to call my API Management with it, I get:

IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/Tenant-ID/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/Tenant-ID/v2.0'.

I am not sure where sts is coming from. I found some posts mentioning "accessTokenAcceptedVersion": 2, so I changed all 3 manifests (azfunction, apim, and client app) for that, but it didn't change anything.

Next, I added the sts issuer to issuers in the policies (as you can see above), and that resulted with a new error:

Claim value mismatch: aud=xxxx-480e-b6bf-xxxxxx.

The value in the decrypted token is exactly the same, so the error should not be there. I feel somehow like adding the sts issuer only hides the real issue, but I am at my wits' end and not sure what to do next.

Answer 1

@Ano Acco Thank you for sharing the additional information/trace. The policy statements are executed sequentially and based on the code snippet above, authentication-managed-identity is first run. This policy obtains an access token from Azure Active Directory for accessing the specified resource (Func App here) and sets the new token in Authorization header.

When validate-jwt policy is executed, it checks Authorization header's new value and hence it is getting failed. So, you can move authentication-managed-identity statement after validate-jwt policy and validate (set correct claim xxxx-480e-b6bf-xxxxxx). Also, as mentioned in other docs, make sure to set "accessTokenAcceptedVersion": 2 on the client app side (App registration).

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">  
            <openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration" />  
            <issuers>  
                <issuer>https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0</issuer>  
            </issuers>  
            <required-claims>  
                <claim name="aud" match="all">  
                    <value>e3ca38a3-74ab-4e09-9082-191efe69c1a9</value>  
                </claim>  
            </required-claims>  
        </validate-jwt>  
        <authentication-managed-identity resource="func-id" />  

Feel free to add a comment if you have any other questions. We would be happy to assist you. Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community.