Share via

Invalid Audience when trying to authenticate with Entra Id

Jai Holloway 60 Reputation points
2024-07-04T09:32:51.23+00:00

I have written a MAUI application and followed the MAUI authorization flow from the ms-identity-dotnetcore-maui repo.

I have created an API registration and added the scopes, as per the documentation for securing a maui app. I have also create a client app and given it rights to the api. I then have published the api to an azure app service.

I manage to login and get back an access, but I can't use the access token as I keep getting an error with it, so I tried using the id token. The id token keeps throwing an error of invalid audience. I have checked the audience in the JWT and it is the native app registration client id. I can't use the api client id, because that throws an error of does not contain a redirect uri and I can't add the redirect uri because it is msal<clientId>://auth, and it expects the uri to start with https://

I am at a complete loss at the moment. I can't find any resources to help me with this error. Any suggestions would be greatly appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Navya 20,180 Reputation points Microsoft External Staff Moderator
    2024-07-08T05:33:06.9133333+00:00

    Hi @Jai Holloway

    Thank you for posting this in Microsoft Q&A.

    I understand that you encountered an 'Invalid Audience' error when trying to authenticate with Entra ID for your MAUI application.

    I can't add the redirect uri because it is msal<clientId>://auth, and it expects the uri to start with https:// *
    Redirect URIs support msal<clientId>://auth in native application registration.*

    To add a redirect URI to your MAUI application, you can follow the below steps

    1.Open your MAUI application, select the Authentication blade to the left.

    2.Select Add a platform and select the public client/native (mobile & desktop) option.

    You should be able to find the msal{YOUR_CLIENT_ID}://auth option under Redirect URIs. Please select it and click on 'Configure'. If the msal{YOUR_CLIENT_ID}://auth option is not visible, you may need to add it as a custom redirect URI.

    User's image

    For your reference : A .NET MAUI app using MSAL.NET to sign-in users and calling MS Graph Api

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Holloway 60 Reputation points
    2024-07-31T06:14:22.01+00:00

    I had to add the iOS option to the endpoints and then use that in my MAUI app. Also, the code that i got down from GitHub overrode one of the methods in the MainActivity of the iOS platform and that seemed to cause the problem. Once I removed the override and moved the initialisaition of PublicSingletonClient to the constructor of the MainActivity, I got the app to work. There were a few more tweaks needed, but I got the app to work in both Android and iOS. All I need to do now is create a new provisioning profile on Apple with Keychain access enabled so that I can create an IPA file

    We are planning on putting our app in the store, but it really is for internal use only. You need a valid Microsoft Entra ID to use the app.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.