Azure active directory - Allowed token audiences

Question

I am trying find documentation on "ALLOWED TOKEN AUDIENCES" in Azure, but there does not appear to be any. The value that I have placed in there was the resourceid that was returned with the token.

What does this mean? any link to documentation will be much appreciated.

PS. the learning link on the actual page mentions nothing about this, and the screenshots appear to be older and do not have this field.

thanks in advance

Answer 1

I've been stumbling around the documentation, too. Here's what I've gotten to work with an Angular Front-end app that consumes a back-end API app.

In the front-end app, the user clicks a link and authenticates with Azure Directory. The token is kept in session in the browser.

Next, the user wants to interact with the API app.
Here's how:

• Go to the API App's App Service in Azure.
• Navigate to Authentication/Authorization
• Turn "ON" App Service Authentication
• Under Authentication Providers Select "Azure Active Directory"
• Choose "Advanced" button
• In the Client ID field insert the "Application ID" from your API App's Azure Active Directory App Registration. You should have registered the API app in Azure Active Directory, already.
• In the "Allowed Token Audiences" field insert the "Application ID" from your front-end app's Azure Active Directory App Registration. You should have registered the front-end app in Azure Active Directory, already.

Security is so important. It blows my mind how confusing the documentation is around this stuff. Owin/Katana looks like it's on the way out. Based on this configuration, you wont need any of it. The other sign that Owin is a goner is the massive breaking change related to Microsoft/System IdentityModel that seems impossible build, discern, fix, yada yada. I wish Microsoft would create an "endpoint" that would show what's out and what's in. and how to do this particular step. If you can get your apps to do this, it's real clean.