Share via

How to use the access token provided by Microsoft Identity ?

idash 11 Reputation points
2022-06-22T15:33:15.317+00:00

Hi everyone, hope you are doing well !

I am building an application based on a SPA and a Web API that interact between each other. My SPA is getting successfully an access token from Microsoft Identity. And I can then use this access token to request the Web API.
I have two questions though :

  • How can I make the token access to contain an audience claim with the app client ID of the Web API ? Because so far the audience claim is set to value that is neither my SPA's client ID nor my Web API's client ID, which is very weird...
  • How come this access token is easily decodable ? I mean, shouldnt it be only Microsoft Identity and my Web API the ones which possesse the secrets to decode the access token ?
    Thank you for all your help !!
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Identity Manager
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator
    2022-06-26T10:37:11.223+00:00

    Hi @idash ,

    Thanks for reaching out.

    I understand you are looking for audience which identifies the intended receipt of the token for your protected Web API. How can I make the token access to contain an audience claim with the app client ID of the Web API ? Because so far the audience claim is set to value that is neither my SPA's client ID nor my Web API's client ID, which is very weird...

    To authorize your web API to call by application who have right scopes and roles, first Web API must expose at least one scope or one application role (In case of daemon application).

    To expose an API, navigate to your protected API you registered and set Application ID URI and expose at least one scope.

    214958-image.png

    This scope needs to add as permission to your registered SPA application to authorize Web API's scope

    214959-image.png

    While requesting the token , api://<App Id URI>/Read value need to pass while requesting the token to get the right audience in the token intend for protected Web API..

    215019-image.png

    How come this access token is easily decodable ? I mean, shouldnt it be only Microsoft Identity and my Web API the ones which possesse the secrets to decode the access token

    Access tokens are easily decoded by jwt.ms as these tokens are not encrypted and these are signed by Azure AD using private key which can be verified by corresponding public key. If anyone will try to change that token, the receiver will get to know while verifying the signature of the token.

    There is a StackOverflow thread where this has been explained in detail.

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.