Skip to main content

Making sense of Azure AD Endpoint and Token Versioning

"error=“invalid_token”, error_description=“The signature is invalid”" is the error which stared me in the face. I was trying to use an Azure AD access token to authenticate with a .NET Core Web API protected by Azure AD. I inspected the token in JWT tool and immediately it became apparent that Issuing Authority name was wrong. "iss":"https://sts.windows.net/<tenantId>", even though the token was requested from an Azure AD v2 endpoint. So what gives!

To understand what is happening, let's understand the history of Azure AD. AAD has undergone life cycle changes where it has moved from a v1 to v2 and re-branded itself as Microsoft Identity platform. As part of that the issuing authoring has changed from sts.windows.net to login.microsoftonline.com. As there were already many applications relying on AAD when this change was made, Microsoft decided to support both the versions. Now this is where AAD tries to be extra clever which is not apparent at first glance.

When you register an application in AAD, there is a manifest generated for it. It contains a key accessTokenAcceptedVersion whose value is set to null. This means this app accepts token issued in v1 format which contains the issuing authority as sts.windows.net. If your app requests for an access token for this resource (by specifying it in the Scope), the token will be issued in a v1 format even though the you are requesting it from a v2 endpoint! To get the token in a v2 format, change the accessTokenAcceptedVersion to 2.

Hopefully Microsoft changes the default behavior to return token based on the endpoint version you are requesting it from and not the accepted token version of the resource you are requesting it for.
Labels:

Comments

Post a Comment

As far as possible, please refrain from posting Anonymous comments. I would really love to know who is interested in my blog! Also check out the FAQs section for the comment policy followed on this site.

Popular posts from this blog

Creating a Smart Playlist

A few days earlier I was thinking that wouldn't it be nice if I had something which will automatically generate a playlist for me with no artists repeated. Also, it would be nice if I could block those artists which I really hate (like Himesh Reshammiya!). Since I couldn't find anything already available, I decided to code it myself. Here is the outcome -  This application is created entirely in .NET Framework 4/WPF and uses Windows Media Player Library as its source of information. So you have to keep your Windows Media Player Library updated for this to work. It is tested only on Windows 7/Vista. You can download it from here . UPDATE : You can download the Windows XP version of the application here . Please provide your feedback!
2 comments
Continue Reading >>

Integrating React with SonarQube using Azure DevOps Pipelines

In the world of automation, code quality is of paramount importance. SonarQube and Azure DevOps are two tools which solve this problem in a continuous and automated way. They play well for a majority of languages and frameworks. However, to make the integration work for React applications still remains a challenge. In this post we will explore how we can integrate a React application to SonarQube using Azure DevOps pipelines to continuously build and assess code quality. Creating the React Application Let's start at the beginning. We will use npx to create a Typescript based React app. Why Typescript? I find it easier to work and more maintainable owing to its strongly-typed behavior. You can very well follow this guide for jsx based applications too. We will use the fantastic Create-React-App (CRA) tool to create a React application called ' sonar-azuredevops-app '. > npx create-react-app sonar-azuredevops-app --template typescript Once the project creation is done, we
1 comment
Continue Reading >>

Serverless Generative AI: How to Query Meta’s Llama 2 Model with Microsoft’s Semantic Kernel and AWS Services

Generative AI is a type of artificial intelligence that can create new content such as text, images, music, etc. in response to prompts. Generative AI models learn the patterns and structure of their input training data by applying neural network machine learning techniques, and then generate new data that has similar characteristics. They are all the rage these days. 😀 Some types of generative AI include: Foundation models , which are complex machine learning systems trained on vast quantities of data (text, images, audio or a mix of data types) on a massive scale. Foundation models can be adapted quickly for a wide range of downstream tasks without needing task-specific training. Examples of foundation models are GPT, LaMDA and Llama . Generative adversarial networks (GANs) , which are composed of two competing neural networks: a generator that creates fake data and a discriminator that tries to distinguish between real and fake data. The generator improves its ability to fool the d
2 comments
Continue Reading >>