1

I want to implement a client credential flow with Azure. I have registered two apps in Azure(MyApi and MyClient). The app from myClient sends a POST-request to MS to get the token. I send a request with this token to the Rest-API server. The answer is always 401 Unauthorized - Baerer error="invalid_token" error_description="The signature is invalid".

This is my setup in Azure:

MyApi

Client ID: client_id_MyApi

Tenant ID: tenant_id

Application ID URI: api://MyApi

API-Permissions: Microsoft.Graph -> User.Read

Expose an API -> Scopes: api://MyApi/accessAsUser App roles: accessAsApplication

MyClient

Client ID: client_id_MyClient Tenant ID: tenant_id

Api-Permissions: Microsoft.Graph -> User.Read, MyApi -> accessAsApplication

Config of the REST-API Server:

Program.cs
...
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{
    o.Audience = client id of MyClient;
    o.Authority = "https://login.microsoftonline.com/tenenat_id/";
    o.IncludeErrorDetails = true;
    

});
...

FooController.cs

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Route("Foo")]
[HttpPost]
public async Task Foo()
{
    await Task.Delay(1000);
    Console.WriteLine("!!!!!!!!!!!!!!!");
}

Post-Request to get a token from Microsoft:

https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token HTTP/1.1

POST-Body:

grant_type=client_credentials&client_id=client_id_MyClient&client_secret=mysecret&scope=https://graph.microsoft.com/.default

Improve this question
1
  • 3
    Have you checked for typos in code? I spot 2 of them; Baerer and tenenat_id. Commented Jan 29, 2024 at 10:24

1 Answer 1

Reset to default
1

Note that: Microsoft Graph API token is not meant to be validated that is the aud https://graph.microsoft.com as it is not meant for the application.

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

enter image description here

When I decoded the access token, I got Invalid Signature error:

enter image description here

Hence you can avoid validating the access token for Microsoft Graph API.

You can validate the access token for your own API or application:

scope: api://ClientID/.default

enter image description here

Now I am able to validate the access token:

enter image description here

Reference:

spring security - Verify Signature with Azure AD - Stack Overflow by junnas

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.