0

I am working on updating our API (core 3.1) auth to use the latest Microsoft Identity nuget for use with MSAL for an Angular UI application. We have Azure Functions that will call into our API's using a Managed Service Identity and have setup several new app registrations for each API to use with MSAL in Angular. The same API's we call from an Azure function will also be called from the Angular UI. The problem I am running into is that I need to accept up to four different audiences in order not to break auth for everything.

Audiences needed:

  1. client id of the API
  2. https://management.azure.com/ for MSI
  3. https://management.core.windows.net/ for MSI
  4. client id of another app registration we use to generate tokens for automation testing I am attempting to set the audiences in a list as follows:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options => { }, options =>
{
options.Authority = Configuration["Authentication:Jwt:Authority"];
options.Instance = Configuration.GetSection("AzureAd")["Instance"];
options.ClientId = Configuration.GetSection("AzureAd")["ClientId"];
options.Domain = Configuration.GetSection("AzureAd")["Domain"];
options.TenantId = Configuration.GetSection("AzureAd")["TenantId"];
options.TokenValidationParameters.ValidateAudience = true;

var audience = new List<string>();   
audience.Add(Configuration["AzureAd:ClientId"]);
audience.AddRange(new string[] {"https://management.azure.com/", 
                                    "https://management.core.windows.net/", "other api client id"});
options.TokenValidationParameters.ValidAudiences = audience;

});

When I attempt to call an endpoint via Swagger using a token created by another app (#4), I get this error:

IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.

I also noticed when looking at the context in the events that none of the audience values I setup at runtime are present when the events trigger. ValidAudience and ValidAudiences are both null.

I need to figure out how to persist these settings in the events as my guess is that is why the audience validation is failing.

Mike Dunham
  • 1
  • 2
  • Have you checked these similar issues? [SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed](https://stackoverflow.com/questions/52843166/securitytokeninvalidaudienceexception-idx10214-audience-validation-failed) and [Audience validation failed](https://social.msdn.microsoft.com/Forums/en-US/5038fdda-b545-4200-96b7-82e303591c70/audience-validation-failed) – Ecstasy Jan 06 '22 at 05:21
  • @DeepDave-MT those posts do not help in resolving my issue. I know the audience does not match since I cannot get the list of audiences I want to accept to persist. I am also not finding anyway to specify more than one audience in the Azure AD config section of appsettings.json. I want to be able to accept up to four different audiences. – Mike Dunham Jan 06 '22 at 14:57
  • @MikeDunham Have you found an answer to your problem? I am having the same issue – Fabian Bigler May 12 '22 at 14:23

0 Answers0