How do I solve audience (aud) invalid claim error for downstream api service?
Anyone have a luck in providing aud token different from the domain name of the api endpoint? My Blazor calls the asp.net app (api) and got the error:
It worked totally fine when I had api app Application id and Jwt's "aud" in a form of api://[GUID]/write.access
After I updated it to the domain name (need custom claims, which won't work without it) it stopped working throwing the error.
Where I updated the audience in Entra:
Application Id URI of the api app on Expose Api page
Downstream Api config of my Blazor app
I guess that should be enough. The only possible root cause that I have in mind is different domain names: api endpoint is https://someappname.azurewebsites.net/accounts, and from you can see on the screenshots attached it's different
You can set the expected aud claim value in JwtBearer like this:
.AddJwtBearer(opt =>
{
opt.Authority = _configuration["openid:authority"];
opt.Audience = "paymentapi";
...
this should be what the API should expect to see in the received access token.
I did write a blog post about this here: Troubleshooting JwtBearer authentication problems in ASP.NET Core
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Google APIs Console - missing client secret
- Automating access token refreshing via interceptors in axios
- Supabase does not append code parameter to the redirect URL after OAuth login
- How/why is login page redirect required?
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- Getting user data through an Azure AD OAuth login - React Native Expo App
- Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication
- spring oauth client (v6.4.2): does not redirect to oauth-server
- NextJs: server component vs server action
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- DelegateAuthenticationProvider not found after updating Microsoft Graph
- How to generate and pass CSRF token for a route in spring cloud gateway with Spring Security
- How to set up an (Azure) OAuth2 application for personal Outlook.com accounts (Exchange) for usage with exchangelib?
- Is there a raw Http request way of OAuth2ing with Google?
- What is the purpose of the 'state' parameter in OAuth authorization request
- AWS API Gateway Access vs Id Token
- How to use the Requests OAuthlib with grant-type 'Client Credentials'?