8

I need help in the context of error = I am getting "message": "Access token validation failure. Invalid audience.",

I am using the Authorisation code grant type in Oauth. I have mapped custom claims to the app using Azure AD policy. So If I user Scope = AppId/.default then I get a custom claim in token and scope what APP has API permission on Azure AD such as user.read, directory.read. But with this when I call graph API for a user profile to see a member of "https://graph.microsoft.com/v1.0/me/memberOf" I get error "Invalid audience"

However, If I use scope = https://graph.microsoft.com/.default Then I am able to query though custom claim which is mapped to App does not come up.

Any help would be appreciated?

Suuny
  • 117
  • 1
  • 1
  • 9

1 Answers1

5

Tokens can only have one audience, which controls which API they grant access to. The token for your app/API cannot be used for Graph. It isn't clear what your exact scenario is here, but if you're calling Graph from your app/API, you may want to look at the on-behalf-of flow to exchange your first token for a Graph token.

Jason Johnston
  • 17,194
  • 2
  • 20
  • 34
  • Thanks for your reply, yes we are using OBO flow however I was wondering If one token could be used in this case? My APP has API permission to read data so I thought it should call graph API with the scope it got in the token with app ID audience. – Suuny Jun 22 '20 at 20:08
  • 1
    No, your token MUST have Graph as the audience. – Jason Johnston Jun 23 '20 at 14:16
  • 1
    then what is the use of providing Graph API permission on Azure AD portal when it is not in use, having the permission to read directory data should suffice the requirement If app has those scope in the token and audience should not be the issue. – Suuny Jun 25 '20 at 12:42
  • 1
    This is how JWT access tokens work per RFC: https://tools.ietf.org/html/rfc7519#section-4.1.3. "If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected." – Jason Johnston Jun 25 '20 at 18:45