[Bug] Web App call local API cause IDX10214: Audience validation failed. · Issue #559

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

精明的显示器 · 空山基 | 創作者 | M+· 4 月前 ·

个性的大海 · 实况足球怎么金升黑，怎么提升黑球和金球球员数 ...· 5 月前 ·

豪气的薯片 · axure8如何共享团队项目 • ...· 5 月前 ·

知识渊博的打火机 · 利比里亚球星变总统足球先生维阿大选获胜-新华网· 7 月前 ·

道上混的沙发 · 贝力行· 1 年前 ·

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 0.3.1-preview

Where is the issue?

Web app

Sign-in users

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Protected web APIs (validating scopes)

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Session caches

Distributed caches

Other (please describe)

Is this a new or an existing app?
a. The app is in production and want to upgrade to a new version of Microsoft Identity Web.

Repro

// inside of Startup.cs -> ConfigureService
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["Scope"] })
            .AddInMemoryTokenCaches();
// inside of Controller call
var token = await _tokenAcquisition.GetAccessTokenForUserAsync(_Scopes);
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = await HttpClient.GetAsync(requestUrl, HttpCompletionOption.ResponseHeadersRead);
// response is 401 Not authorized

Expected behavior
Response 200 OK with the data I need

Actual behavior
I have the Web API in a project, published on Azure and the Web APP in a different project.
If I debug the APP and call an endpoint of the APIs I receive the 401 error.
In the debug output of the Web API I see the error message:

Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: '92e3d039-XXXX-XXXX-XXXX-6e360645ca06'. Did not match: validationParameters.ValidAudience: 'api://92e3d039-XXXX-XXXX-XXXX-6e360645ca06' or validationParameters.ValidAudiences: 'null'.
The only difference is that "api://" token.
Do you know what I am missing and why it works with the published APIs but not with the local ones?
          I found the issue.
I set a custom App ID URI in the Azure AD App Registration and didn't set the Audience value as detailed in the documentation:

https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration