Menu
I need help in the context of error = I am getting "message": "Access token validation failure. Invalid audience.",
I am using the Authorisation code grant type in Oauth. I have mapped custom claims to the app using Azure AD policy. So If I user Scope = AppId/.default then I get a custom claim in token and scope what APP has API permission on Azure AD such as user.read, directory.read. But with this when I call graph API for a user profile to see a member of "https://graph.microsoft.com/v1.0/me/memberOf" I get error "Invalid audience"
However, If I use scope = https://graph.microsoft.com/.default Then I am able to query though custom claim which is mapped to App does not come up.
Any help would be appreciated?
801
The high-level overview of validating an access token looks like this: Retrieve and parse your Okta JSON Web Keys (JWK), which should be checked periodically and cached by your application. Decode the access token, which is in JSON Web Token format. Verify the signature used to sign the access token.
To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about your app and the permissions it has to access the resources and APIs available through Microsoft Graph.
There are two steps to verify the token. First, verify the signature of the token to ensure the token was issued by Azure Active Directory. Second, verify the claims in the token based on the business logic. For example, we need to verify the iss and aud claim if you were developing a single tenant app.
Tokens can only have one audience, which controls which API they grant access to. The token for your app/API cannot be used for Graph. It isn't clear what your exact scenario is here, but if you're calling Graph from your app/API, you may want to look at the on-behalf-of flow to exchange your first token for a Graph token.
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
