Share via

Token issuer for API is sts.windows.net instead of the required login.microsoftonline.com issuer.

KGarvin 0 Reputation points
2025-02-11T22:27:04.7033333+00:00

Within my IOS app, I am acquiring a token silently for my API App Registration from Microsoft that has an sts.windows.net issuer instead of the required login.microsoftonline.com issuer. The access token that I am getting initially from Microsoft Entra Sign in has the incorrect issuer as well, although the idToken, from the same response, does have the correct issuer. Do I need to set up an Identity Provider under Authentication in my Azure API App Service or IOS App Service? The authority defined in my IOS app is defined as https://login.microsoftonline.com/ + our tenant id. Why would there be two different issuers between the two tokens, and how can I avoid this?    

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator
    2025-02-13T05:12:49.11+00:00

    Hi KGarvin,

    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your query, I understand that you are receiving your access token with issuer as "sts.windows.net".

    There are two types of token formats in Azure, one is v1 format which gives you "sts.windows.net" as issuer and the other is v2 format which provides you "login.microsoftonline.com" as issuer. Both are security token services from Azure AD and v2 has been implemented to support additional features as authenticating personal accounts and protocols like OpenID (which gives ID token).

    If you are receiving v1 token even if you are trying with v2 endpoint, you need to change the accessTokenAcceptedVersion to 2 in application manifest. You can find the same information in this link.

    In order to perform the change please do follow the steps.

    1. Login Azure portal as global admin.
    2. Go to Entra ID, under manage choose App registration and select the application.
    3. Scroll down on the left and select Application manifest in the bottom.
    4. Search for accessTokenAcceptedVersion and change the value to 2.

    Wait for a while, test the scenario and retrieve the token issuer. I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.