Azure AD Audience is Invalid due to "api://" being appended

Question

I have two Azure Daemon apps. App A and App B.

App B works as expected. I call the /oauth2/v2.0/token to the the access token. Then I decode the token and extract the roles.

App A does not.. when i decode and validate the token it says "Invalid Audience".

When i use jwt.ms to look at the token, the difference is App A is putting api:// in the aud portion.. and App B is not.

For example..

App A: { "aud":"api://3srlk3j..."}

App B: { "aud":"323f4lk2..."}

What is causing one to add api:// for one and not the other?

Answer 1

The value of audience is also controlled by the accesstokenacceptedversion in the manifest file. When you decode the token you can check if issuer has v1 or v2 endpoint

"iss": "https://login.microsoftonline.com/xxxxx/v2.0",

For example here I have v2 endpoint ,so accesstokenacceptedversion in manifest must be set to 2 which might be probably null or 1 by default.

"accessTokenAcceptedVersion": 2,

So please check the same for your web app A and set it accordingly .(Also check the same for web app B) and then try to generate token.

Also if above alone doesn’t solve the error,the problem might be the configuration data for the Web API. When we say the ClientId ,it is the value under the "expose an API" option where it says "Application ID URI Depending on how you request the access token, the audience of the token might be either the client id or Application ID URI of the API.

Here under expose an API , it has App ID Uri as api://xxxxx, same must be set as client id in the application app settings.

 "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "myportal.onmicrosoft.com",
    "TenantId": "mytenant-guid",
    "ClientId": "api://xxxxx"
  },

So please check this match in both the applications(A and B) with their respective app ID URIs in their app registrations.