The audience is invalid error

Question

I have 3 projects 1- Javascript SPA 2- Web API Project, 3- IdentityServer with EF Core

I started debugging API and Identity Server and successfully get the jwt token but, when I try to get value from API method which has Authorize Attribute I get an error:

WWW-Authenticate →Bearer error="invalid_token", error_description="The audience is invalid"

I could not found any property about audience in auth options. This is my configuration in API project

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            ApiSecret="secret",
            Authority = "http://localhost:5000",
            ApiName="fso.Api",
            RequireHttpsMetadata = false,
        });

And my Config.cs file in Identity

 public class Config
{        
    public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {                
            new ApiResource()
            {
                Name = "fso.Api",                    
                DisplayName = "feasion API",
                Scopes =
                {
                    new Scope("api1"),
                    new Scope(StandardScopes.OfflineAccess)
                },
                UserClaims =
                {
                    JwtClaimTypes.Subject,
                    JwtClaimTypes.EmailVerified,
                    JwtClaimTypes.Email,
                    JwtClaimTypes.Name, 
                    JwtClaimTypes.FamilyName,
                    JwtClaimTypes.PhoneNumber,
                    JwtClaimTypes.PhoneNumberVerified,
                    JwtClaimTypes.PreferredUserName,
                    JwtClaimTypes.Profile, 
                    JwtClaimTypes.Picture, 
                    JwtClaimTypes.Locale, 
                    JwtClaimTypes.IdentityProvider,
                    JwtClaimTypes.BirthDate, 
                    JwtClaimTypes.AuthenticationTime
                }
            }
        };
    }
    public static List<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Email(),
            new IdentityResources.Profile(),
        };
    }

    // client want to access resources (aka scopes)
    public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
        {
            new Client
            {
                ClientId = "fso.api",
                AllowOfflineAccess=true,
                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,                    
                AllowedScopes =
                {                       
                   StandardScopes.OfflineAccess,                    
                   "api1"
                }
            }
        };
    }
}

score 29 · Accepted Answer · answered Jul 04 '17 at 15:35

See here for what this claim is about:

The aud (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the aud claim when this claim is present, then the JWT MUST be rejected....

So your API's name must exist in the aud claim for the JWT to be valid when it is validated by the middleware in your API. You can use jwt.io to look at your token by the way, that can be useful to help make sense of it.

In order to have IdentityServer to add your API's name to the aud claim your client code (which is attempting to get a resource from the API and therefore needs an access token) should request a scope from your API. For example like this (from an MVC client):

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    Authority = Configuration["IdpAuthorityAddress"],
    ClientId = "my_web_ui_id",
    Scope = { "api1" },

    //other properties removed...
});

**jwt.io** link helped to find out that - with `.net core 2.2` + `Microsoft.AspNetCore.Authentication.AzureAD.UI` the **clientId** value needs `api://` prefixed. With `.net core 3.1` + `microsoft.identity.web` it works without api://` prefix. — Avi, Jul 11 '20 at 09:34

score 20 · Answer 2 · edited Jul 26 '21 at 09:44

To avoid the error, audience should be consistently added in 4 places

In My (e.g. MVC) client as custom Scope.
In API application as ApiName
In IdentityServer Clients configuration as AllowedScope
In API Resources configuration as ApiResource

See details ( previously available in IdentityServer4 wiki):

When configuring a new API connection in identityServer4, you can get an error:

WWW-Authenticate: Bearer error="invalid_token", 
error_description="The audience is invalid"

To avoid the error, Audience should be consistently added in 4 places

In My (e.g. MVC) client as custom Scope :

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
  Authority = Configuration["IdpAuthorityAddress"],
  ClientId = "my_web_ui_id",
  Scope = { "openid", "profile", "offline_access", "MyApi" },               

//other properties removed for brevity...
});

In API application as ApiName

//Microsoft.AspNetCore.Builder.IdentityServerAuthenticationOptions
var identityServerAuthenticationOptions = new IdentityServerAuthenticationOptions()
{
  Authority = Configuration["Authentication:IdentityServer:Authority"],
  RequireHttpsMetadata = false,
  EnableCaching = false,
  ApiName = "MyApi",
  ApiSecret = "MyApiSecret"
};

In IdentityServer \IdentityServerHost\Configuration\Clients.cs (or corresponding Clients entry in the database)

var client = new Client
{
  ClientId = clientId,  
  //other properties removed for brevity...   
  AllowedScopes =
  {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    //IdentityServerConstants.StandardScopes.Email,
    IdentityServerConstants.StandardScopes.OfflineAccess, "MyApi",
  },
};

In IdentityServer \IdentityServerHost\Configuration\Resources.cs (or corresponding ApiResource entry in the database) as apiResource.Scopes

var apiResource = new ApiResource
{
  Name = "MyApi",
  ApiSecrets =
  { 
    new Secret("MyApiSecret".Sha256())
  },
  UserClaims =
  {
    JwtClaimTypes.Name,
    JwtClaimTypes.Profile,
  },
};

Perhaps the link clarified everything, but since it seems dead... My understanding is that the name used in dbo.ApiResources should line up with the apiName in your API, while your client's named scope must align with (a) a scope listed in dbo.ApiScopes -- which itself must (via ApiResourceId) be child to your resource in dbo.ApiResources and (b) scope in dbo.ClientScopes. That said, the scope and resource names *need* *not* *be* *identical*. I've succeed (and gained sanity) with three values such as "Client" for client, "ApiResource" for the resource, and "ApiScope" for scope. — Wellspring, Jul 05 '19 at 22:01
So many [wrong] options in IdentityServer4, so little time :) This step by step approach lead me to the solution I needed (matching the API name to the scope in the IS config). If only they did not call everything a scope and use them for many different uses! — iCollect.it Ltd, Dec 22 '20 at 21:33
I'm scrutinizing your (greatly helpful) answer and as I'm analysing the implications of the contents for my specific case, I couldn't help myself taking the liberty to edit your contribution a bit (mostly highlighting and formatting). I hope you don't mind. (In fact, I hope that you regard it as an improvement and are delighted to see it.) — Konrad Viltersten, Jul 26 '21 at 09:00

score 3 · Answer 3 · answered Oct 23 '21 at 18:46

In your app configuration file in AD configuration section add "Audience" line:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "ClientId": "<-- Enter the Client Id -->",
  "Audience": "<-- Enter the Client Id -->",
  "TenantId": "<-- Enter the tenantId here -->"
}

In my case "ClientId" & "Audience" was the same.

P.S.: And if after that you'll see

IDW10201: Neither scope or roles claim was found in the bearer token

Add another line to AD configuration:

"AllowWebApiToBeAuthorizedByACL": true

More here

Helped me a lot. Thanks! I had to authenticate a Teams app (when running outside of teams) and my audience was like `api:///` — szab.kel, Nov 04 '21 at 08:30

score 0 · Answer 4 · answered Apr 08 '22 at 21:23

In IdentityServer had to add claim "aud" to the jwt Token. In Order to do that under .AddJwtBearer("Bearer", options => options.Audience="invoice" and set ApiResource

Reference Link https://identityserver4.readthedocs.io/en/latest/topics/resources.html#refresources

public static readonly IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
    new ApiResource("invoice", "Invoice API")
    {
        Scopes = { "invoice.read", "invoice.pay", "manage" }
    }        
};
   }

score 0 · Answer 5 · answered Mar 09 '23 at 08:19

0

In case the authority is an IdentityServer3 but you are using and IdentityServer4.AccessTokenValidation a line must be added to the configuration as shown below

Hope this help someone.

answered Mar 09 '23 at 08:19

Angelo Chiello

35
9

The audience is invalid error

5 Answers5

Linked