I'm attempting to build an Azure Web App API where the user authenticates with a seperate confidential client, and then requests to the server are sent on behalf of the user. However, when I recieve the OBO token for the API, the aud claim of the token after being decoded on the server is the server app's client_id, not the App ID URI, despite passing in scopes with the appropriate URI, and as far as I can tell accurate registration. I've been testing with .default scope, but have access_as_user and user_impersonation scopes made as well in an attempt to get something to work. The API consistently responds with a 401, and the issues only began after I changed the uri to one using a custom domain as opposed to the client_ID during the transition so it was compatible with the common tenant. The registration for the common tenant is also completed and with the same custom domain.
When Sending a request from Postman, I get the following server logged output:
2024-03-18T19:55:39.748969188Z {"name":"AzureAD: Bearer Strategy","hostname":"ed941fa7***1","pid":131,"level":30,"msg":"In Strategy.prototype.authenticate: we will validate the following options: {\"issuer\":[\"https://login.microsoftonline.com/<tenant_id>/v2.0\"],\"algorithms\":[\"RS256\"],\"audience\":[\"https://api.<domain_name>.com\"],\"validateIssuer\":false,\"allowMultiAudiencesInToken\":false,\"clockSkew\":300,\"isAccessToken\":true}","time":"2024-03-18T19:55:39.746Z","v":0}
2024-03-18T19:55:39.766017960Z {"name":"AzureAD: Bearer Strategy","hostname":"ed941fa7f071","pid":131,"level":30,"msg":"In Strategy.prototype.jwtVerify: token decoded: {\n header: { typ: 'JWT', alg: 'RS256', kid: 'XR***********************' },\n payload: {\n aud: <web-api-client_id>,\n iss: 'https://login.microsoftonline.com/<tenant_id>/v2.0',\n iat: 1710791016,\n nbf: 1710791016,\n exp: 1710794916,\n aio: 'E2NgYMi17GM/******3kyYbO4Fssfy8ks/ev4Ll2f******PpZsB',\n azp: <confidential_authorized_client-ID>',\n azpacr: '1',\n idtyp: 'app',\n oid: '507cba5f-****-****-****-9d3****27a6d',\n rh: '0.AVIAlpEaRswiQ0mJF5bFDLAJM5XsiATPJg9KuRhNhaXZg666AAA.',\n sub: '507cba5f-****-****-****-9d3****27a6d',\n tid: <tenant_id>,\n uti: 'AraEA3IShUWKWEypB7A0AA',\n ver: '2.0'\n },\n signature: 'qdRr****aaopHcECmrBenhUjRAV4QlCoV****uWvu1pjl3w****1Utp2eO3M-ovZ0TcSHEq4qkyI****4vA28tiw0etHDEZ-9_yhFb11Vco9Smu4pop5d__dR55mCz6vLyZ9_6Vn5A4gfQv6sC3DK75eFzTq2Icc1Cc9q9SZocfZh8nFhZ0Ecc_NWk5LDd1_Se8I-OTjLPyBnL566ghAeLGejNztuKnnJ2otP2qmF27flgz-ktp4eHJfUFLe07Lm7aHB8j5U5Zazv4EmCrnGmp98IAyn_Gl1US0sCyWEMr7ZYikywenxaEqsuo4TVSPgrEndVnvCVcov8-NpVeAg'\n}","time":"2024-03-18T19:49:27.086Z","v":0}
2024-03-18T19:55:39.766994858Z {"name":"AzureAD: Bearer Strategy","hostname":"ed941fa7f071","pid":131,"level":30,"msg":"authentication failed due to: jwt audience is invalid","time":"2024-03-18T19:55:39.766Z","v":0}
I'm using the https://login.microsoftonline.com/common/oauth2/v2.0/token token endpoint.
I am unsure why I cant seem to get the audience right no matter what tutorial I follow. Any ideas would be greatly appreciated.
I've tried changing the audience in the passportAzureAd.BearerStrategy back to the original client_id, but then my web app fatally crashes and I need to revert to an old instance. I have validate issuer off, I've tried a number of modifications to my manifest.