Receiving invalid access token from Azure AD

Daan 6 Reputation points
2021-11-16T09:24:44.907+00:00

I am working on an application with the following components:

  • API (ASP.NET Core)
  • Website
  • Mobile app (Xamarin.Forms)

Users are authenticated with Azure AD, and should receive a bearer token to access the API. For the webpage, this is working as expected, but I can't seem to get it working for the mobile app.

I can authenticate using the Microsoft.identity.Client library, and I do receive an access token. However, this access token is not working, as calls to the API with this token return 401 Unauthorized, with a response header:

Www-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"
  • When I use the bearer token from the webapp hardcoded in the mobile app, it works.
  • When I compare the two tokens, I see that the token retrieved by the mobile app is a v1 token, as opposed to the v2 token that the webapp receives.

In the Azure App Registrations, I have a registration for all 3 components, and granted API permissions to the website and mobile app.

Authenticating and acquiring access token in the mobile app:

var app = PublicClientApplicationBuilder.Create(clientId)
    .WithRedirectUri("msal116d9cbe-88ef-4b73-bae2-0d21c10df305://auth")
    .WithIosKeychainSecurityGroup(this.configuration.IOSKeychainSecurityGroup)
    .WithB2CAuthority("https://testorganisation.b2clogin.com/tfp/testorganisation.onmicrosoft.com/B2C_1_SignupSignin/")
            .Build();

var scopes = new string[]
{
    "openid",
    "email",
    "https://testorganisation.onmicrosoft.com/api/access_as_user"
}

var accounts = await this.app
    .GetAccountsAsync()

await this.app
    .AcquireTokenSilent(scopes, accounts.FirstOrDefault())
    .ExecuteAsync()

API App Registration Manifest from Azure:

{
    "id": "b003da59-5a76-4083-99e6-bdb708feae16",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "9bf40874-747a-41d5-a3fe-2d0b1a3fcfa8",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2021-10-27T08:32:35Z",
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [
        "https://testorganisation.onmicrosoft.com/api"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "testorganisation API",
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [
        {
            "adminConsentDescription": "Access the testorganisation API as a user",
            "adminConsentDisplayName": "Access testorganisation API as user",
            "id": "1e8c2b96-7b60-4a32-9145-1083e1fba86b",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "Admin",
            "userConsentDescription": null,
            "userConsentDisplayName": null,
            "value": "access_as_user"
        },
        {
            "adminConsentDescription": "Access the API as administrator",
            "adminConsentDisplayName": "Access testorganisation API as admin",
            "id": "63a54831-11a2-47f2-8e50-2872f1c25d5d",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "Admin",
            "userConsentDescription": null,
            "userConsentDisplayName": null,
            "value": "access_as_admin"
        }
    ],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "testorganisation.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "https://localhost:5001/swagger/oauth2-redirect.html",
            "type": "Spa"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                },
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [
        "notApiConsumer",
        "webApi"
    ],
    "tokenEncryptionKeyId": null
}

Mobile App Registration Manifest from Azure:

{
    "id": "1cc5a0bc-13dc-4101-9cff-ace48ad4865d",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "116d9cbe-88ef-4b73-bae2-0d21c10df305",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2021-01-13T19:37:49Z",
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "testorganisation Mobile App",
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "testorganisation.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "msal116d9cbe-88ef-4b73-bae2-0d21c10df305://auth",
            "type": "InstalledClient"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "9bf40874-747a-41d5-a3fe-2d0b1a3fcfa8",
            "resourceAccess": [
                {
                    "id": "1e8c2b96-7b60-4a32-9145-1083e1fba86b",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                },
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [
        "apiConsumer",
        "mobileApp"
    ],
    "tokenEncryptionKeyId": null
}
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,207 questions
0 comments No comments
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.