Search code examples
angularjsasp.net-web-apiaccess-tokenadalsend-on-behalf-of

AADSTS50013: Assertion audience claim does not match the required value

I've got a single page app that authenticates users in Azure using adal-angular.js/adal.js [client].
The returned token is inserted into the auth header and passed to a web API [server]. This web api generates a new access token for the app using the on-behalf-of workflow (https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof) This token is then used to call a downstream API [API1]. So the downstream API then repeats this process to get a new token to call another API [API2]. It's at this point that I'm getting the above error.

The aud value in the token passed from [client] to [server] is the application id of the [server] app. The aud value in the token passed from the [server] to [API1] is the Application URI of the [API1] app. So far so good.

When I call AcquireTokenAsync in [API1] app, I get the following error:

AADSTS70002: Error validating credentials. AADSTS50013: Assertion audience claim does not match the required value. The audience in the assertion was 'http://application_uri.com/' and the expected audience is 'snip-a1d5-e82e84f4e19e' or one of the Application Uris of this application with App ID 'snip-a1d5-e82e84f4e19e'

The relevant code from [API1]:

public static async Task<string> GetApplicationTokenOnBehalfOfUser(string appId, string appKey)
    {
        var clientCredential = new ClientCredential(appId, appKey);
        var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as
                System.IdentityModel.Tokens.BootstrapContext;
        var userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
        var userAccessToken = bootstrapContext.Token;
        var userAssertion = new UserAssertion(userAccessToken, _assertionType, userName);
        var authority = string.Format(System.Globalization.CultureInfo.InvariantCulture, _aadInstance, _tenant);

        var userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        var authContext = new AuthenticationContext(authority, new TokenCache());

        var result = await authContext.AcquireTokenAsync(_resourceId, clientCredential, userAssertion);
        var accessToken = result.AccessToken;
        return accessToken;
    }

Where: appId = "snip-a1d5-e82e84f4e19e"

And the "aud" value from the BootstrapContext.Token is: "aud": "http://application_uri.com/"

If I change the above to use the "aud" value from the token as the appId in the ClientCredential, I get this error instead:

AADSTS65001: The user or administrator has not consented to use the application with ID 'http://application_uri.com/'. Send an interactive authorization request for this user and resource.

Am I doing this right? Thanks.

Solution

  • To get this working I had to add the following delegated permissions to API1 for AP2. Azure Permissions