I'm trying to validate an access token obtained from azure active directory.
I obtained the token from https://login.microsoftonline.com/{{my tennant guid}}/v2.0
The issuer in the token that comes back is https://sts.windows.net//{{my tennant guid}}/ which doent match.
If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....
I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560
the outcome from this is to manually edit the manifest json in the application registration in AAD and set "accessTokenAcceptedVersion": 2
I've done this but it has made no difference.
I've also seen similar questions here on stack overflow but these are related to a difference in the tenancy guid - that is not the case here.
An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as access_token in the responses from Azure AD B2C.
Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.
So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.
And yes the audience is always the client id based on my tests in v2 tokens.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With