Bearer Token from Microsoft has invalid signature
I want to implement a client credential flow with Azure. I have registered two apps in Azure(MyApi and MyClient). The app from myClient sends a POST-request to MS to get the token. I send a request with this token to the Rest-API server. The answer is always 401 Unauthorized - Baerer error="invalid_token" error_description="The signature is invalid".
This is my setup in Azure:
MyApi
Client ID: client_id_MyApi
Tenant ID: tenant_id
Application ID URI: api://MyApi
API-Permissions: Microsoft.Graph -> User.Read
Expose an API -> Scopes: api://MyApi/accessAsUser App roles: accessAsApplication
MyClient
Client ID: client_id_MyClient Tenant ID: tenant_id
Api-Permissions: Microsoft.Graph -> User.Read, MyApi -> accessAsApplication
Config of the REST-API Server:
Program.cs
...
builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{
o.Audience = client id of MyClient;
o.Authority = "https://login.microsoftonline.com/tenenat_id/";
o.IncludeErrorDetails = true;
});
...
FooController.cs
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Route("Foo")]
[HttpPost]
public async Task Foo()
{
await Task.Delay(1000);
Console.WriteLine("!!!!!!!!!!!!!!!");
}
Post-Request to get a token from Microsoft:
https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token HTTP/1.1
POST-Body:
grant_type=client_credentials&client_id=client_id_MyClient&client_secret=mysecret&scope=https://graph.microsoft.com/.default
Note that: Microsoft Graph API token is not meant to be validated that is the aud
https://graph.microsoft.comas it is not meant for the application.
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
When I decoded the access token, I got Invalid Signature error:
Hence you can avoid validating the access token for Microsoft Graph API.
You can validate the access token for your own API or application:
scope: api://ClientID/.default
Now I am able to validate the access token:
Reference:
spring security - Verify Signature with Azure AD - Stack Overflow by junnas
- How memory address for pointer to arrays is same as an element in 2D array?
- How to use ellipsis in c's case statement?
- Fast & accurate atan/arctan approximation algorithm
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- Fast ceiling of an integer division in C / C++
- Is there an invalid pthread_t id?
- How does SIMD (avx) processing work? for example, if I want 10 32 bit floats how do i fit in a 256 bit avx vector?
- FDCAN problems on STM32G4
- How does the call macro enable mutual recursion between functions f and g in this Hanoi Tower implementation?
- Running test on Rocket core CPU - global variable initialized to 0 is unsuccessful, output wrong value instead
- Interacting with C arrays without knowing the size
- Combination of two strings
- Avoiding strcpy overflow destination warning
- carriage return by fgets
- How to use special characters in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- Is it correct to compare pointers in C?
- Force free() to return malloc memory back to OS
- How can I print to standard error in C with 'printf'?
- What is the standard behavior of fread in C on Windows?
- How is strtok removing lines it shouldn't have access to?
- Using array as smart point in C
- Assigning string to malloced 2d char array not working as intended
- How to refactor repetition inside a Makefile?
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- Handling HTTP Headers in a Minimal C HTTP Server
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?