I'm using adal.js for my website for AAD authentication. After decode the AAD token, the aud looks differently, it's the app api in AAD. However, when I try to understand how AAD works in different scenarios, almost all the documentation's example of AAD token shows aud as the resource url, like http://contoso.com/.
Based on my understanding, aud means this token is issued for. There's no restriction to what it should actually be.
But I'm curious what's the main reason of this inconsistent behavior of aud from AAD.
Why it can be app id sometimes, and be a url sometimes? Why not app id all the time or url all the time?
Could someone help to share some thoughts?
Thanks.
ADAL.JS deals with 2 types of tokens: id_token and access_token. id_token represents an identity of the user who has signed-in within your application. Very roughly it contains just 2 pieces - the ID of the user who provided the credentials and the ID of the application which acquired the token. In case of id_token the value of aud is Guid and corresponds to the AppId of the application acquired the token. From OAUTH v2 point of view this is the same application which contains resources the user wants to access.
Speaking of access_token - it represents not only those 2 mentioned above, the user and the acquiring application, but also an application with a set of resources the user is intended to access. This 2nd application, represented by aud claim, in majority of cases, will be a Uri which represents Service Principal Name (or App ID Uri or IdentifierUri) - all of those are synonyms. This value is a way to point from a Client AAD App to a Server AAD App - the one containing protected resources.
So, ADAL.JS first asks for a user's credentials and acquires an id_token and then it is sending additional request to AAD endpoint to get access_token. If you look into both of those tokens you will see different kind of value in the aud claim as explained above.
It is also possible to have a Guid in the aud claim for access_tokens - that Guid will correspond to the AppId of the resource application, so, if you have a code which parses the value it must be ready to process not only Uris but also Guids.