Debug with JSON Web Tokens
You can use various procedures to troubleshoot service authentication issues. A common procedure is to inspect the JSON Web Tokens (JWTs).
The first option is to capture the JWT from an HTTP request. You can use the Fiddler. You can set up HTTPS capture to watch the HTTPS traffic from the client. Then, you need to find the Open Authorization (OAuth) JWT, which is the value of the HTTP authorization header with the bearer segment removed.
You can also use a deserializer tool to examine the token contents. To do this, go to JWT.io and paste your JWT into the input section. Next, you can view the contents as name-value pairs and then verify that the displayed information is correct.
Use the following guide to verify your information:
- aud - Corresponds to the Microsoft Entra ID resource concept. A couple of typical issues are that the aud segment of the JWT contains a Uniform Resource Identifier (URI) that has a trailing slash or the aud uses incorrect capitalization.
- appid - Corresponds to the Microsoft Entra ID Native Client App ID, which is sometimes referred to as the Service App ID.
- upn - Corresponds to the user who is being authenticated through a Native Client App.