[Bug] Web App call local API cause IDX10214: Audience validation failed. · Issue #559

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

寂寞的日光灯 · 华为vr glass电脑连接线-华为vr ...· 4 月前 ·

想发财的大脸猫 · 先行先试人才制度创新·建设近悦远来闻名之城— ...· 7 月前 ·

气势凌人的红豆 · 温州住房公积金“六大新政”F3类人才能否享受 ...· 1 年前 ·

酒量大的酸菜鱼 · Mockito+JMockit+TestNG ...· 1 年前 ·

发怒的黄瓜 · 人大重阳网 ...· 1 年前 ·

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 0.3.1-preview

Where is the issue?

Web app

Sign-in users

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Protected web APIs (validating scopes)

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Session caches

Distributed caches

Other (please describe)

Is this a new or an existing app?
a. The app is in production and want to upgrade to a new version of Microsoft Identity Web.

Repro

// inside of Startup.cs -> ConfigureService
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["Scope"] })
            .AddInMemoryTokenCaches();
// inside of Controller call
var token = await _tokenAcquisition.GetAccessTokenForUserAsync(_Scopes);
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = await HttpClient.GetAsync(requestUrl, HttpCompletionOption.ResponseHeadersRead);
// response is 401 Not authorized

Expected behavior
Response 200 OK with the data I need

Actual behavior
I have the Web API in a project, published on Azure and the Web APP in a different project.
If I debug the APP and call an endpoint of the APIs I receive the 401 error.
In the debug output of the Web API I see the error message:

Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: '92e3d039-XXXX-XXXX-XXXX-6e360645ca06'. Did not match: validationParameters.ValidAudience: 'api://92e3d039-XXXX-XXXX-XXXX-6e360645ca06' or validationParameters.ValidAudiences: 'null'.
The only difference is that "api://" token.
Do you know what I am missing and why it works with the published APIs but not with the local ones?
          I found the issue.
I set a custom App ID URI in the Azure AD App Registration and didn't set the Audience value as detailed in the documentation:

https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration