node.jsazureauthenticationadalpassport-azure-ad

passport-azure-ad: Why am I getting "jwt audience is invalid"?


(All IDs in the below example are made up. I've added them to illustrate the format for some of the parameters).

My tenant is at acme.co.uk, but I want the web app that I've got deployed at https://subdomain.acme2.co.uk to delegate authentication of users to Azure AD.

I registered my app as below using the new portal: (The field names are those used on the azure portal).

App ID URL: https://acme.co.uk/11111111-2222-3333-4444-555555555555

Home page URL: https://subdomain.acme2.co.uk/api/auth/aad

Reply URLs: https://subdomain.acme2.co.uk/api/auth/aad/callback

and created a secret key that doesn't expire with the value: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa='

I've been following the passport-azure-ad github sample using v1 endpoint as a guide.

{
  allowHttpForRedirectUrl: false,
  clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555',
  clientSecret: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa=',
  identityMetadata: 'https://login.microsoftonline.com/acme.co.uk/.well-known/openid-configuration',
  isB2C: false,
  issuer: null,
  loggingLevel: 'info',
  passReqToCallback: false,
  redirectUrl: 'https://subdomain.acme2.co.uk/api/auth/aad/callback',
  responseMode: 'form_post',
  responseType: 'code id_token',
  skipUserProfile: true,
  useCookieInsteadOfSession: false,
  validateIssuer: true
}

When I got to 'https://subdomain.acme2.co.uk/api/auth/aad' in my browser I get redirected to MS to login, which I then do, but when the redirect back to 'https://subdomain.acme2.co.uk/api/auth/aad/callback' happens, I'm not authenticated.

Inspecting the headers from the callback POST request I see:

In _validateResponse: jwt audience is invalid. expected: https://acme.co.uk/11111111-2222-3333-4444-555555555555,spn:https://acme.co.uk/11111111-2222-3333-4444-555555555555

Any ideas what I've done wrong??? [:-|

(Aside: Debugging this is a pain, as I'm running in docker and the redirects don't seem to work properly, so I have to deploy to a real environment ATM).


Solution

  • Ok found it... clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555' was the culprit.

    That should be the app Id NOT the app Id URI. Doh. Many thanks to @Alex Blex for the guidance. This was most helpful.