4

I keep getting a AuthenticationFailed error with a InvalidAuthenticationTokenAudience inner error when attempting to query the /environments endpoint.

I have already created an app in the Azure Active Directory, given it access in the time series insights management portal and I can already get an Oauth 2.0 Access token from the auth URL.

I have tried giving the token url the 'https://api.timeseries.azure.com/' resource/audience/scope but the API keeps returning the same error message:

{ "error": { "code": "AuthenticationFailed", "message": "Server failed to authenticate the request. The token has been obtained from wrong audience or resource.", "innerError": { "code": "InvalidAuthenticationTokenAudience", "message": "The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should exactly match (including forward slash) with one of the allowed audiences 'https://api.timeseries.azure.com/'." } } }

I'm using Postman with the Oauth 2.0 authentication type, the client credentials Grant Type and send as basic Auth Header option for the token request.

Has anyone tried this with success?

Update 01: The decoded (using JWT as suggested in comments) payload portion of one of the tokens shows the that the aud field is 00000002-0000-0000-c000-000000000000. Which is definitely wrong.

pablete
  • 1,030
  • 1
  • 12
  • 21
  • Could you decode your access token in https://jwt.io/ and provide the result in your question? – Joy Wang Nov 08 '18 at 03:03
  • @JoyWang The aud field has the wrong value (see question Update 01), but what else do you want to know from the decoded token? – pablete Nov 08 '18 at 12:43

1 Answers1

7

Based on the exception, it indicates that the resource is not matching https://api.timeseries.azure.com/ when acquire the access token.

So please make sure that the resource is https://api.timeseries.azure.com/, for more information please refer to the screenshot.

Get access token

enter image description here

I test Get environments API, it works correctly for me. 

GET https://api.timeseries.azure.com/environments?api-version=2016-12-12

enter image description here

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
  • Great it works. I was using postman's infrastructure to handle the token request and the subsequent call to the API. I was providing the resource value into the 'Scope' field of the Oauth 2 get new access token form of postman. I I were to use those, where should I include the resources I'm trying to get a token for? – pablete Nov 08 '18 at 12:30
  • What is the tenant id in the URL? https://login.microsoftonline.com//oauth2/token, is it the client_id or client_secret ? – Jyoti Prakash Mallick Aug 05 '20 at 12:33
  • 1
    @JYOTIPRAKASHMALLICK Please refer to [this thread](https://stackoverflow.com/questions/26384034/how-to-get-the-azure-account-tenant-id) to get more information about how to find azure tenant id. – Tom Sun - MSFT Aug 06 '20 at 02:39