0

i have an app services. i turned on the app service authentication using : azure active directory. i also already added the the application ID URI(from azure AD) in the Allowed Token Audiences.

here is the api that i used to generate the token.

POST /xxxxx/oauth2/v2.0/token/ HTTP/1.1 Host: login.microsoftonline.com client_id=xxxx&client_secret=xxxxx&grant_type=client_credentials&scope=https://graph.microsoft.com/.default

decoded token role.

  "roles": [
    "User.ReadWrite.All",
    "Directory.Read.All",
    "Mail.Read"
  ],

decoded header.

{
  "typ": "JWT",
  "nonce": "xx",
  "alg": "RS256",
  "x5t": "xx",
  "kid": "xx"
}

however, when i tried to login into the app service using those token,it return an error (signature validation failed)

{ "code": 401, "message": "IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'. \nkid: '[PII is hidden]'. \nExceptions caught:\n '[PII is hidden]'.\ntoken: '[PII is hidden]'." }

did i missed something?

degananda ferdian
  • 11
  • 2
  • Please refer to https://stackoverflow.com/questions/55022474/azure-active-directory-authentication-function-app/55033947#55033947 – Jim Xu Aug 04 '20 at 05:14
  • The linked answer does indeed show the approach that you need to take. The main issue with your approach is that you are acquiring an access token for MS Graph API, not your API. Your API should only accept tokens meant for it, not for other APIs. MS Graph API tokens are also special, which is why the validation fails. So you need to change the scope when acquiring the token to match your API, and then configure your API with the correct valid audience. – juunas Aug 04 '20 at 05:35
  • Do you have any update? – Jim Xu Aug 05 '20 at 02:14

0 Answers0