Generate token fails for Azure app which is both client and API (client credentials workflow)
We are not able to generate a token for an app which is at the same time offering an API and acts as a client for another app. We want to use the client credentials workflow in OAuth.
The app ApiAndClient has client credentials and the permission to use the api of app ApiApp. We granted the ApiAndClient app admin consent to use the api of ApiApp. We configured a redirect URI in ApiApp. When we want to issue a token for ApiAndClient, the following error message comes up:
{
"error": "invalid_request",
"error_description": "AADSTS501461: AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key.\r\nTrace ID: XXXXX\r\nCorrelation ID: XXXXXXXXX\r\nTimestamp: 2020-09-04 07:40:31Z",
"error_codes": [
501461
],
"timestamp": "2020-09-04 07:40:31Z",
"trace_id": "XXXXXX",
"correlation_id": "XXXXXX"
}
We compared the settings of both ApiAndClient and ApiApp to other apps, where the token works. There is one difference in the ApiApp, it has"acceptMappedClaims" set to true, other api app have set to null. If we set that to null, the error message changes:
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.\r\nTrace ID: xxxxxx\r\nCorrelation ID: xxxxxxx\r\nTimestamp: 2020-09-04 08:15:26Z",
Setting it to false does not change anything.
We have the suspicion, that the client app which acts also as a api might be the problem.
Keep acceptMappedClaims as true.
Now that ApiAndClient is also used as an API app, you should click on Expose an API and Set the Application ID URI, which will be treated as the tenant's verified domain.
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token
- Error creating bean with name 'corsConfigurationSource'
- MailKit OAuth2 SMTP Office365 Send Mail
- Which the correct way to implement an API request
- Issue with assessing data in blob storage using OAuth tokens from a dotnet app
- How do you access a patient's data via FHIR API?
- Unable to refresh access token : response is "unauthorized_client"
- How do I connect to Exchange Online using OAuth 2.0 in MailKit?
- Unable to get authentication code from redirect url when authenticating with OAuth2 from .NET desktop app
- OAuth2AuthenticationException: [invalid_client] when try sign in with Apple in Spring Boot application
- I get this error:- Error 400: redirect_uri_mismatch even after I registered the URI in Google Gmail API OAuth 2.0
- Keycloak and Spring Boot web app in dockerized environment
- OAuth2 Client Certificate Credentials and OIDC Issue
- Spring Boot: How to persist user details collected from OAuth Service Provider to my database