I've seen many answers around 'audience xxx is invalid' but all these scenarios are either ancient, or not really the same. I'm following the 'Web API documentation | Microsoft identity platform' Tutorial :
or
So... I've registered my app exactly per the instructions. Then I use postman to create the token
But when the received token is used in an API call, I get audience is invalid If I decode the token itself, it says the aud is just the ApplicationId.
When the registered app manifest was null for version, ( "accessTokenAcceptedVersion": null ) then the token did show the audience as 'api://{ApplicationId}' but now that it's set to version 2 ("accessTokenAcceptedVersion": 2,"), it only ever returns the ApplicationId without the api:// prefix. So I'm guessing it will never match the registered app.
I get the same result in my Swagger calls of the API as well.
How can I get a token that works??
[EDIT] Even if I select Auth 2.0 Authorization in Postman flow that asks me to log in and then let Postman do the subsequent calls to get the token, that new token also gets the same error. This leads me to think the Entra registered app is incorrect somehow. I will investigate there.
[EDIT2] Something is now different. I do the OAuth 2.0 login flow via Postman again, and the token now works. (??) Did something in Azure have to 'settle'? lol However, I set the Scope to the API (registered application as API) data read permission I set up, that the Web App (registered application as Web app) has access to (aaplication permission and not delegated permission), and the Client Id set to the Web App Application Id. Now the token I get back includes that same scope :
{"token_type":"Bearer","scope":"api://{my API registered app GUID}/Data.Read","expires_in":4290,"ext_expires_in":4290,"access_token":"eyJ0e...yada yada"}
But I still can't just create a token without a user interaction to login... but getting hopeful