azure-active-directorypower-automatepower-automate-custom-connector

Power Automate Custom Connector - Token Invalid, Invalid Audience

I have built a few custom connectors before but for some reason am having real issues getting a custom connector to authenticate against an api i have written.

The API is written in .netcore 5, hosted as a WebApp in the same tenant i am trying to connect from. I've checked the authentication setup and the ClientId is pointing to the 37008370 clientid guid in the below image.

This is how I am setting up the Auth in the connector enter image description here

I've connected to this API using a blazor app so I think authentication is setup correctly.

When I try and setup the authentication for a custom connector though I get the following response

{  "content-length": "0",  "date": "Wed, 20 Oct 2021 10:11:51 GMT",  "request-context": appId=cid-v1:4e1e4b6a-ace8-48e9-8121-546d6e834953",  "www-authenticate": "Bearer error=\"invalid_token\", error_description=\"The audience 'api://37008370-*********' is invalid\"",  "x-ms-apihub-cached-response": "false",  "x-powered-by": "ASP.NET"}

I think I have setup everything correctly and cant see where I am going wrong.

Any help appreciated.

Thanks

Stuart

Solution

  • Audience of token should always match the client id of the app registered.The cause of the error is the same. Audience is api://xxxx-xx and client id=3700-xxx. The resource can be an App ID GUID for the Resource, or a valid App ID URI which is registered on the Resource. AAD should be able to identify which resource you are trying to reach based on the value you provide.

    Note that if you use an App ID GUID, you will get a token from AAD where the Audience claim is the App ID GUID. Alternatively, if you use an App ID URI, you will see that URI as the audience claim in the token.

    So here you need to add clientId :api://xxxxx-xxxx (which is Application Id uri present in the expose an api blade of the azure ad app registration portal) in the app settings of the code .

    "aud" value generated for token by azure is also controlled by "accessTokenAcceptedVersion" property in AD application manifest.

    This property defines a version of the access token that will be generated. Check your jwt token in http://jwt.io If you get this . Check the manifest of your azure ad .app"accessTokenAcceptedVersion" property value is probably null or one, or should be two . If it is null maybe adding api:// prefix is to be considered. else api:// prefix can be ignored.