(All IDs in the below example are made up. I've added them to illustrate the format for some of the parameters).
My tenant is at acme.co.uk, but I want the web app that I've got deployed at https://subdomain.acme2.co.uk to delegate authentication of users to Azure AD.
I registered my app as below using the new portal: (The field names are those used on the azure portal).
App ID URL: https://acme.co.uk/11111111-2222-3333-4444-555555555555
Home page URL: https://subdomain.acme2.co.uk/api/auth/aad
Reply URLs: https://subdomain.acme2.co.uk/api/auth/aad/callback
and created a secret key that doesn't expire with the value: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa='
I've been following the passport-azure-ad github sample using v1 endpoint as a guide.
{
allowHttpForRedirectUrl: false,
clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555',
clientSecret: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa=',
identityMetadata: 'https://login.microsoftonline.com/acme.co.uk/.well-known/openid-configuration',
isB2C: false,
issuer: null,
loggingLevel: 'info',
passReqToCallback: false,
redirectUrl: 'https://subdomain.acme2.co.uk/api/auth/aad/callback',
responseMode: 'form_post',
responseType: 'code id_token',
skipUserProfile: true,
useCookieInsteadOfSession: false,
validateIssuer: true
}
When I got to 'https://subdomain.acme2.co.uk/api/auth/aad' in my browser I get redirected to MS to login, which I then do, but when the redirect back to 'https://subdomain.acme2.co.uk/api/auth/aad/callback' happens, I'm not authenticated.
Inspecting the headers from the callback POST request I see:
In _validateResponse: jwt audience is invalid. expected: https://acme.co.uk/11111111-2222-3333-4444-555555555555,spn:https://acme.co.uk/11111111-2222-3333-4444-555555555555
Any ideas what I've done wrong??? [:-|
(Aside: Debugging this is a pain, as I'm running in docker and the redirects don't seem to work properly, so I have to deploy to a real environment ATM).
Ok found it... clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555' was the culprit.
That should be the app Id NOT the app Id URI. Doh. Many thanks to @Alex Blex for the guidance. This was most helpful.