0

I have error "Access token validation failure. Invalid audience." For application set api permissions to offline_access, openid, profile, User.Read. User start auth, go to MS auth site, ask about login, password and grand.

After exchange code to access token i well receive

{'token_type': 'Bearer', 'scope': 'offline_access openid profile User.Read', 'expires_in': '3906', 'ext_expires_in': '3906', 'expires_on': '1653988700', 'not_before': '1653984493', 'resource': 'my_azure_client_id', ....}

Then i try get profile for current user with this access token. As result i have error "Access token validation failure. Invalid audience."

Help pease)

UPDATE Configured permissions enter image description here

Alexey Panevin
  • 597
  • 5
  • 11

1 Answers1

2

The reason behind getting that error is because your token has wrong audience.

Please check what token you are using to call Graph API.

I tried to reproduce the same in my environment. If you are using ID Token instead of Access Token, you may get error like below:

enter image description here

To know whether you are giving access token or id token, decode it in JSON Web Tokens - jwt.io.

For access token, aud claim will be "https://graph.microsoft.com" or "00000003-0000-0000-c000-000000000000"

For id token, aud claim will be "your_app_client_id"

Choose the access token carefully with aud as "https://graph.microsoft.com" while calling Microsoft Graph API:

enter image description here

To get profile for current user, you can make use of below query:

GET https://graph.microsoft.com/v1.0/me

I got the profile successfully using access token like below:

enter image description here

Replace your scope with https://graph.microsoft.com/.default while generating access token to avoid confusion.

Reference:

oauth 2.0 - Microsoft Graph API: Access token validation failure. Invalid audience - Stack Overflow

UPDATE:

In order to get authorization code, make the request by changing scope like below:

https://login.microsoftonline.com/your_tenant_id/oauth2/v2.0/authorize?
client_id=your_client_id
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • 1
    Thanks! You have right. How to get code for aud = https://graph.microsoft.com/ – Alexey Panevin Jun 01 '22 at 06:11
  • After change authorize request i recieve "aud": "00000002-0000-0000-c000-000000000000". Then i make request to https://graph.microsoft.com/v1.0/me with new access_token. Responce is Access token validation failure. Invalid audience. My reqest fot excachange code to access_token is https://login.microsoftonline.com/tenant_id/oauth2/token with payload {'grant_type': 'authorization_code', 'client_id': 'some_client_id', 'redirect_uri': '...', 'code': 'some_code', 'scope': 'https://graph.microsoft.com/', 'client_secret': 'some_secret'} – Alexey Panevin Jun 01 '22 at 06:55
  • 1
    Please note that "aud": "00000002-0000-0000-c000-000000000000" means **Azure AD Graph API** not **Microsoft Graph API**. Could you please include screenshot of API permissions you gave in Portal? – Sridevi Jun 01 '22 at 07:01
  • Try using [**v2.0 token endpoint**](https://i.imgur.com/jw0n1Kk.png) to get the access token ! – Sridevi Jun 01 '22 at 08:38
  • After change version to "v2.0" aud is ok! But from metadata receive . But i have new problem like https://github.com/MicrosoftDocs/azure-docs/issues/14676 . – Alexey Panevin Jun 01 '22 at 10:30
  • And token is ok. I make request to "me". Only "iss" field is incorrent. – Alexey Panevin Jun 01 '22 at 18:14
  • What error you are getting now using that token while making request??? – Sridevi Jun 02 '22 at 00:03
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/245247/discussion-between-sridevimachavarapu-mt-and-alexey-panevin). – Sridevi Jun 02 '22 at 00:25