0

I am getting this error (Bearer error="invalid_token", error_description="The audience 'xxxx-xxxx-xxxx-xxxx' is invalid"}) when attempting to access information from a registered API. The audience is the clientId of the registered API in Azure ADB2C. I have inspected the access token and it also has the same value against the aud key of the token.

My startup configuration is as follows in the app hosting the API:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)                
                .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));

The web app calling the API has the following setup in the startup configuration

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme);
                services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAd")
                    .EnableTokenAcquisitionToCallDownstreamApi(ScopeConstants.SCOPES)
.AddDistributedTokenCaches();
David Onyango
  • 77
  • 8
  • Have you followed [this](https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app-with-api?tabs=visual-studio#step-4-configure-the-sample-web-api) - you need to put the expected AppId into the *appsettings.json* for the Web API App Registration. And in the Web App, you must put a scope value that is exposed on the Web API App Registration - shown [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app-with-api?tabs=visual-studio#step-5-configure-the-sample-web-app). – Jas Suri - MSFT Oct 24 '21 at 11:45
  • @JasSuri-MSFT the process in the link provided does not work. The business case I am working on is indeed B2C but the current limitation that app roles aren't supported or included in bearer tokens means I can't use the user flow logic (i.e. SignUpSignInPolicyId). The standard AzureAd supports app roles but I am getting stuck on this. The scope value is represented as ScopeConstants.SCOPES in the web app configuration as already shared. i.e. public static List SCOPES = new List() { ReadWrite,Read }; – David Onyango Oct 25 '21 at 18:57

1 Answers1

0

I have managed to get a solution on this though it has no direct correlation with the basic AzureAd parameters setup. I had the the following lines of code in my startup configuration. After removing them, the error disappeared.

services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()         
                    .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
                    
                    .RequireScope(Configuration["AzureAd:Scopes"])
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            });
David Onyango
  • 77
  • 8