Azure AD OAuth token wrong audience (client credentials flow)
I am trying to get a OAuth token (client_credentials flow) to be able to call my API. I cannot get the proper audience in the token.
In Azure AD, I created 2 App Registration. One to represent my API, the other one to represent my Client.
In my API App Registration, I exposes an API
As you can see in the screenshot I also added my Client App Registration as an "Authorized client applications".
I also added an App Role.
In my Client App Registration, I created a secret to authenticate.
I also added my API App Registration in the "API Permissions" and also Granted Admin Consent.
My problem is when I am trying to get a token from Azure AD. I do the following in Postman :
But the token I get does not contain the audience I specified. It contains the default "Graph API" Audience.
I've been reading on OAuth for the past 2 days but I can't figure out what I am doing wrong.
Also, please note that I cannot use the v2.0 endpoint because in the end, I do all this to be able to authenticate to my API in Power Automate and I don't have the option to use the v2.0 endpoint (and the resource or scope parameters).
Here's the token decoded
Any help will be greatly appreciated.
In summary, I will post it as an answer.
Like I said in the comments, if you are using the OAuth 2.0 protocol, when you use the v1.0 endpoint to request an access token, you should use the resource parameter instead of the audience parameter, because the audience parameter is not recognized by the OAuth 2.0 protocol. Even if you do not selected this parameter in postman, you should be able to obtain a default ms graph api token.
The audience parameter is commonly used in Auth0 organization, but it has some differences from the OAuth 2.0 protocol. The request URL of Auth0 is as follows:
curl --request POST \
--url 'https://YOUR_DOMAIN/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=YOUR_CLIENT_ID \
--data client_secret=YOUR_CLIENT_SECRET \
--data audience=YOUR_API_IDENTIFIER
- Azure App Service Plan CPU Spikes to 100%
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- Submitting jobs with different parameters using command line databricks
- The app build failed to produce artifact folder Angular Azure Static Web App Deployment Issue
- azure function .python_packages missing
- Redeploy .NET Aspire project after resource cleanup
- Access Azure App Service with Client ID & Secret
- Download all files from Azure storage account
- Azure Frontdoor is Overwriting XFF header
- Azure pipeline stopped giving installable MAUI app
- How access Azure APIs
- functionTimeout not working in local.settings.json Azure Function in my local machine
- How do I display Azure Deployment Center log history in Grafana
- Azure Functions in .NET 7 (isolated) published to Azure, 0 functions loaded
- Unable to connect to the server: getting credentials: exec: executable kubelogin not found
- Split multiple tables from a single sheet in excel using data flows