Azure AD: custom AudienceValidator function not firing

JAL 591 Reputation points
2023-09-24T21:19:38.4233333+00:00

I'm testing locally. When the Audience in the bearer token is created like this:

string[] scopes = { "https://graph.microsoft.com/.default" };

the user gets 401 unauthorized and my AudienceValidator function never fires. It fires when the Audience is this:

string[] scopes = { someClientID + "/.default" };

The end result is that it usually fires when the Audience is correct. In reality I need it to fire all the time, especially when the Audience is incorrect.

I've spent many hours on this. I've tried every combination of the below values known to me. Removing the last two lines doesn't help. Switching from "true" to "false" doesn't help.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

            .AddJwtBearer(opt =>
            {
                opt.Authority = authority;
                opt.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidateIssuer = false,
                    AudienceValidator = funcValidateAudience,//NOT FIRING. 
                    ValidateAudience = true,
                    ValidAudiences = validAudiences,
                };
            });
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,329 questions
0 comments No comments
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 63,916 Reputation points
    2023-09-24T22:13:47.18+00:00

    the signature is checked before the audience. are you sure your client passed a valid token?


1 additional answer

Sort by: Most helpful
  1. JAL 591 Reputation points
    2023-09-24T21:32:08.2466667+00:00

    I meant to include this line of code in my post:

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

    This is a .Net Core 5.0 web api.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.