0

I have react app, which can login user via Azure AD. After that, I created from react app request into my .net core mvc app with header Authorize. But when I added [Authorize] attr into my controller, I get error:

Bearer error="invalid_token", error_description="The signature is invalid"

All I need that my backend app only check scope or role from JWT token and allow to get some data. I know that JWT is correct and react app login user without any problems.

Similar issue to this one: https://forum.ionicframework.com/t/validating-token-signatures-in-asp-net-core/108226

Roma Pavliuk
  • 144
  • 8
  • Did you register your API in you AD tenant? – DFord Dec 08 '20 at 15:33
  • you mean my .net core app? – Roma Pavliuk Dec 08 '20 at 15:38
  • Yes, your .net core app – DFord Dec 08 '20 at 15:47
  • nope. I registered only my react app if i need to register net core app, I dont understand all flow... Now its react -> get token from azureAD -> add header Authorize -> net core app request net core app should only check roles and claims from jwt token and thats it. What is wrong in this flow? – Roma Pavliuk Dec 08 '20 at 16:00
  • Also, do you have the correct signing key in your .net core app? – DFord Dec 08 '20 at 20:53
  • Try to add `[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]` Instead of `[Authorize]` – Carl Zhao Dec 09 '20 at 06:36
  • @DFord My react app successfully logged in into azure ad. SigningKey - where I should get it? I have only jwt token added in header as Authorize. – Roma Pavliuk Dec 09 '20 at 07:32
  • @Carl Zhao, already tried. I have error in my backend app as : IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'kg2LYs2T0CTjIfj4rt6JIynen38', InternalId: 'b66e6a03-9cca-4332-8780-263af82b519b'. , KeyId: kg2LYs2T0CTjIfj4rt6JIynen38 – Roma Pavliuk Dec 09 '20 at 07:40
  • @RomaPavliuk Please provide the url where you get the access token. – Carl Zhao Dec 09 '20 at 08:16
  • @CarlZhao https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration – Roma Pavliuk Dec 09 '20 at 08:21
  • How did you set up the `scope`? I saw that you have links to similar questions. Have you also registered two applications through AAD (MobileApp as a native application and WebAPI as a web application/api)? – Carl Zhao Dec 09 '20 at 08:31
  • @CarlZhao scope params in my react app: scope: "openid profile email" In the beginning i have only 1 app in Azure AD. And my reactapp logged in and all works fine. When I tried to send request into my api, I have a problems. Then I created one more app in my Azure AD for api and linked with client app. But issue still here( I tried different ways in my api , but without any result. – Roma Pavliuk Dec 09 '20 at 08:38
  • You need to set the scope to: `api://{api app client id}/.default` – Carl Zhao Dec 09 '20 at 08:43
  • @CarlZhao when I add only this one scope, I have error: ErrorResponse: AADSTS700053:+response_type+'id_token'+requires+the+'openid'+scope When add openId, next error: oidc-client.min.js:1 GET https://graph.microsoft.com/oidc/userinfo 401 (Unauthorized) – Roma Pavliuk Dec 09 '20 at 08:49
  • Go to AAD>your api app>Expose an API and provide a screenshot. – Carl Zhao Dec 09 '20 at 08:54
  • @CarlZhao here I have only one scope: api://b7201ea4-a343-41de-baf2-cbc2c48ac2c9/access_as_user And this scope I have added into my react app as scope. After that I have error with 401 when trying to login – Roma Pavliuk Dec 09 '20 at 09:33
  • @RomaPavliuk Try: 1. Set the scope to: api://b7201ea4-a343-41de-baf2-cbc2c48ac2c9/access_as_user. 2. Add client app to api app. https://i.stack.imgur.com/8U5s4.png – Carl Zhao Dec 09 '20 at 09:38
  • @CarlZhao added to api app -> Expose an API -> Authorized client applications -> new record with clientId(id of my client app) still 401 when my react app trying to login on graph.microsoft.com/oidc/userinfo – Roma Pavliuk Dec 09 '20 at 09:48
  • @CarlZhao when i changed scope into api://b7201ea4-a343-41de-baf2-cbc2c48ac2c9/access_as_user., I can't login. – Roma Pavliuk Dec 09 '20 at 09:51
  • Issue was fixed! thank you) – Roma Pavliuk Dec 09 '20 at 14:40
  • @RomaPavliuk How was it resolved? Experiencing the same problem here. – Bas Que Dec 10 '20 at 15:09

1 Answers1

1

I summarize the comments and post it as an answer:

Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.

When you expose an api protected by Azure, then you need to set the scope to your custom api, usually api://{api app client id}/scope name, and then you need to add the client application to the api application.

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • @RomaPavliuk You can mark it as an answer to end the thread ( click on the check mark beside the answer to toggle it from greyed out to filled in.) or you can post your own answer. – Carl Zhao Dec 12 '20 at 11:54