30

I'm trying to validate an access token obtained from azure active directory.

I obtained the token from https://login.microsoftonline.com/{{my tennant guid}}/v2.0

The issuer in the token that comes back is https://sts.windows.net//{{my tennant guid}}/ which doent match.

If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....

I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

the outcome from this is to manually edit the manifest json in the application registration in AAD and set "accessTokenAcceptedVersion": 2

I've done this but it has made no difference.

I've also seen similar questions here on stack overflow but these are related to a difference in the tenancy guid - that is not the case here.

Twisted
  • 2,939
  • 4
  • 32
  • 54
  • You edited the app registration manifest for the API right? That should change the token to v2.. – juunas Jan 17 '20 at 17:06
  • Yes I changed the manifest for both the client and the api – Twisted Jan 18 '20 at 08:59
  • Can you show the code you are using to acquire the token? – juunas Jan 18 '20 at 09:06
  • I've just prepared an example token to post using jwt.io and the token now contains the expected issuer. eg https://login.microsoftonline.com. strangely the audience has changed from api://myapi to my clientId Guid. I havent changed any of my code since posting the question so I can only assume that setting "accessTokenAcceptedVersion": 2 actually worked but took several hours to come into effect. – Twisted Jan 18 '20 at 09:35
  • In case, would like to set this programatically through Graph SDK, hope this answer will help https://stackoverflow.com/a/69341905/2933389 – Paramesh Korrakuti Sep 27 '21 at 06:09

2 Answers2

23

So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.

And yes the audience is always the client id based on my tests in v2 tokens.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 3
    How long does it take for this change to take effect? I made the change 30+ min ago and still getting v1 tokens back from v2 endpoint. – Bob Meyers Jul 10 '20 at 16:30
  • So you changed the accepted token version for the API you are asking the token for? – juunas Jul 10 '20 at 16:32
  • 2
    yes I set `"accessTokenAcceptedVersion": 2` in the manifest of the app registration ("client") I'm using in the token request. I am using `grant_type: password`, in case that matters. – Bob Meyers Jul 10 '20 at 16:36
  • @BobMeyers What is the `scope` you are using? The reason I'm asking is that it is important to set that property value on the app to which the token is requested, not the client app (unless the app is requesting a token for itself of course). – juunas Jul 12 '20 at 12:45
  • Is there anyway to set `"accessTokenAcceptedVersion": 2` programatically instead of updating in manifest manually? – Paramesh Korrakuti Sep 27 '21 at 05:45
  • @ParameshKorrakuti yes, az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/$app_object_id/ --body '{"api":{"requestedAccessTokenVersion": 2}}' – Ahmed El Kilani Nov 02 '22 at 03:11
  • 2
    Its been more than 12 hours that I changed in Manifest file. But the issuer URL is not yet updated :( – Viki Cullen Nov 15 '22 at 07:00
  • @VikiCullen did it update in the end? if yes, after how much time? – alexv Jun 21 '23 at 12:53
4

If you are authenting an api, then add the follow code in startup class:

return services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
        {
            options.Authority = "https://login.microsoftonline.com/<TenantId>/v2.0";
            options.Audience = "<Audience>";
            options.TokenValidationParameters.ValidIssuer = "https://sts.windows.net/<TenantId>/";
        });

The code above, inform the correct Issuer.

Fábio Rodrigues Fonseca
  • 1,148
  • 8
  • 8