IDX10503: Signature validation failed with Microsoft Graph and Azure AD - azure

I have an ASP.NET Core WebApi which uses Azure AD Bearer Tokens (passed by the Frontend, acquired using adal.js).
Currently, we are using the Azure AD Graph API and everything works fine.
As recommended by Microsoft, we would like to migrate from Azure AD Graph API to Microsoft Graph.
I changed the audience from https://graph.windows.net to https://graph.microsoft.com both in the API and Frontend. I can successfully acquire a token, which looks almost the same as the old one when decrypted in jwt.io, but when I pass it to the API I get:
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
Did I miss something? As far as I know, it should be possible to sign in using the Microsoft Graph, right?

If I understood correctly, you have configured your API audience as the MS Graph API audience.
You should not do this.
Firstly MS Graph API access tokens are bit special and you should not try to validate them,
secondly because your API is not MS Graph API.
Your front-end should acquire an access token for your API.
This requires you to configure your API audience as either its client id or Application ID URI (or both).
Azure AD allows the front-end to acquire the token using either of those.
The API can then exchange that for an MS Graph API token using the On-Behalf-Of flow.

Related

How to get JWT Token from Azure multi-tenant application?

I created a multi-tenant app on Azure Portal and sending request to get token with application's client Id. I am using the following URL to get token on Microsoft Azure AD
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Sending a get request with parameters client_id={clientId}&response_type=token&scope=user.read+openid+profile+offline_access
However it is returning an access_token on given call-back url
http://localhost:8082/my-callback-url#access_token=EwCIA8l6BAAU6k7%2bXVQzkGyMv7VHB/h4cHbJYRAAATb8xtkaxI5xsVkWM6etOevj7ADopBYP1/hj%2bUz%2bf1ZXH4lpykHkES1XBRBDNRDWwdqAA%2brO2tFlMygiuusVx1EJKvqeV0rPPaNDNX9azpWGzS45BN6WmXKcxzX623enNYJOdo%2bYyTtaMipFapvABOsjHve1nVwfq9zqpmcldnIhXBeGefdQsgqmBNjeAyAbWzifLNtdz6Ybxnbt8nMY5adb82Z8tsfddfDdjrqk%2bu%2b85%2bxKXO9Xop3wdRvrVC9FM46RniA6H3NUKjOMTJAsX4IQLjGjXM4eq9o95lmSzF3zgFOXI1rYwkDRVsFsLOgP8tx0occDcuVPQgMalXR6JREDZgAACIJRWLYJGUcWWAKPx26NmroNGG1xEkPB1kLeGk0Hf8324YZs2InsGvQBFUMU4XzGGNdj0s5rLYKK2ictDstHV1daM241F1M5FiaX1qCgdRXneR9uPzUsSIBOzPJtT1dD4k%2bDxp6Nr4hEnDPlymp5X0SR4v5vUA3aRhnsvmEzBVQDKR7cFvT7NSqVHSr/tTv/epdx81qgJcd6S6xF8oaMc7mn76jgU4YBn8jXYnTfGhUvhNZ8RJyyl71AqZrGr7JS2kStselZUgjavLqc9DdQD9cwPSWu1ketKmGgCjt6lVB3nlaw8Wxq%2by2/YhPznTRFD2wj/vzDOdTzCcZ9mJV%2bKMGcXYQqBiGE0MF8%2bWA1EKSXniT5UiegTfJkvnsgtx6G6sdV0rzFM7Xa9d/dHNDfyV5oGedZtJXE1WCUrEIUZZm/HNhhQyh0WSG0gWm3vOY7NAs13vey9lcIQ6Fllu6W/Ty3HE4llFp/9a3lNcujmlxsCASFUOX6R54xPJMt1ipF5lh5uyZCPoUda46UsrCDnNRg0dhuoSVwJMDHzDbs4NXhX4nhTOze/9koz6p5Ao4DtJ20LqmcylZDoLxUhXIU5vvnBYpiHwanBt2E/rG%2bqVEQbRy/v9fhi0chY0XPzldIm/Lz2l0%2b0MpJ/4l53f9YTRLdEMD8X8Umi35ZvpK9arAqgdRkx4/oWG9m8sxOMY2eASetiAJaU8yjtETgHpBGJTXbDVDpNA1s5NGc9QC%2brcSnGDV0BKIDYxBISR8TiJQVUaPqbNU1Mj3kGyQFnfS0jS83VGVfFCZ4cHkhDq/awLh2JrR0Ag%3d%3d&token_type=bearer&expires_in=3600&scope=User.Read%20openid%20profile
How can I validate this access token? or how can I get a JWT token instead?
Your scopes are user.read+openid+profile+offline_access.
That first one is a Microsoft Graph API scope.
It's actually short-hand for https://graph.microsoft.com/user.read.
So you will get an access token that is meant for Microsoft Graph API.
The other scopes you defined affect the id token (openid, profile) or get you a refresh token (offline_access).
This means you cannot and should not validate the token.
Only Microsoft Graph API should be validating this token, since the token is meant for it.
If you want an access token for your API, you need to use a scope defined in the API's app registration (Expose an API section).

Is the Azure Active Directory Access Token valid for ReAuthentication with a Custom WCF Policy?

I am retrieving an Azure AD access token using MSAL.js at the client and passing it as Authorization header to web api hosted in WCF API Management. But I get an error along with all the proper response as well my username and email
Cannot validate access token. IDX10501: Signature validation failed.
Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
The API is a WCF service configured with a custom policy binding for OAuth with the metadataEndpoint or even the v2 version https://login.microsoftonline.com/{tenantid}/.well-known/openid-configuration .
I guess the Azure AD Access token that I have is not meant for validating authentication again.
My guess I might be either missing permissions on the App registration but I couldn't find an API permission for exact authentication/authorization.
I believe with new Azure AD , we cannot authenticate the earlier manner by just passing a token and need to use MSAL standard libraries.
Could someone shed some more light on this.
I used an ID Token and then it worked. You get 2 tokens when authenticated so the ID token seems to work.

Azure AD returns Authentication_ExpiredToken on valid access token

I'm getting Your access token has expired. Please renew it before submitting the request. when I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 endpoint.
To prevent any stupid questions - Yes, I know that using Microsoft Graph is recommended instead of Azure AD Graph. I'm aware of it and I'm using it. But for my current case I need to request exactly Azure AD Graph.
Tests case:
I successfully login on https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=.... and get code in the response.
I successfully exchange code and get access_token on https://login.microsoftonline.com/common/oauth2/v2.0/token.
I successfully make requests to any Microsoft Graph endpoint (ie https://graph.microsoft.com/education/me/classes).
I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5.
I get the error Authentication_ExpiredToken Your access token has expired. Please renew it before submitting the request.
I successfully make requests to any Microsoft Graph endpoint, so the access_token is valid.
Based on this article: https://learn.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview, I can use this access token to access both Microsoft Graph API as well as Azure AD Graph API.
So, I'm using v2.0 which should work for those: https://learn.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.
What I'm doing wrong?
Thank you!
A token used to call the Microsoft Graph cannot be used to call the Azure AD Graph API.
When you look at the access token from Azure AD, there is a parameter called aud which stands for "audience". This property tells the API receiving the token the valid audience for that token.
If I own an API, "WebAPI1", and I get a token where the audience is something else, like "WebAPI2", I should reject that token, and not give the client access to my APIs. The reasons for this behavior should be obvious, but it causes major security issues if this check does not occur.
The aud value for the Microsoft Graph is https://graph.microsoft.com/ while the aud for Azure AD Graph API is https://graph.windows.net/.
When requesting an access token, you need to specify which specific resource you want a token for using the scopes parameter. This and more information can be found here.
The solution here is to get a different access token for the different API, and your issues should be resolved.
Let me know if this helps!

Hot to get an Azure AD Id_token over an Azure Mobile App?

I'm trying to get an Id_token over Azure Mobile App but I'm receiving an mobileServiceAuthenticationToken.
The mobileServiceAuthenticationToken is received by my iOS-App with the following implementation: Integrate Azure AD into an iOS app
I need the Id_token (with algorithm RS256) because my backend-service (java spring-boot) needs to validate this token, which is not possible with the mobileServiceAuthenticationToken. mobileServiceAuthenticationToken is based on algorithm HS256 (which needs a client secret) and does not allow requesting the Azure AD for getting user informations over the Microsoft Graph Api.
Here is a link to microsoft reference for further informations: Azure AD token reference
The id_token is not able to call the Microsoft Graph REST. To call Microsoft Graph REST, we need to acquire the corresponding access_token for it which's aud claim is https://graph.microsoft.com.
There are two kinds of flows for mobile authentication, client-flow and server-flow. Both of them should work in your scenario, however the progress is a little different.
Client flow:
For this flow, you can get the id_token and access_token for Microsoft Graph from Azure Active Directory first using ADAL SDK. Then you can exchange the id_token with EasyAuth for the authentication token and login your mobile app.
Server flow:You can config the mobile app to acquire the access_token for Microsoft Graph. Then you can implement an proxy in the mobile back-end. After that you can only need to call the mobile back-end both your owner service and Microsoft Graph.
Here are some helpful articles about this topic:
How to: Authenticate users with the Active Directory Authentication Library
App Service Auth and the Azure AD Graph API

Azure AD Graph vs Microsoft Graph App Authorization Tokens

i have an application currently using the Azure AD Graph API. I would like to start migrating the app to Microsoft Graph. However, i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
how can i accomplish this? as currently it seems as if the apps must be registered in different portals for the different api's respectively.
it seems as if the apps must be registered in different portals for the different api's respectively
This is not consistent with my experience. I have registered my Application in Azure Active Directory.
Using the Azure portal, I am able to get permissions to both the Microsoft Graph Api and the Windows Azure Active Directory API.
i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
You cannot use the same token for both the Azure AD Graph API and Microsoft Graph API.
In my code, I receive an access token via the following call:
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode,
redirectUri,
CreateClientCredential(),
resourceString
);
The resourceString parameter is either https://graph.windows.net/ for the AD Graph API, or https://graph.microsoft.com for the Microsoft Graph API.
They are distinct resources, so you must manage two tokens, applying the appropriate token for each API call.

Resources