on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
So basically I want to achieve the following:
Obviously, as the title states, this gives me issues - basically I'm getting the following error upon trying to get the OBO token on behalf of the user.
{
"error": "invalid_grant",
"error_description": "AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client: 'XXXX', Found key 'Start=11/27/2024 09:04:39, End=11/27/2029 09:04:39', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'.
...
}
In the API app registration, I have done the following in Azure:
- "Expose an api" in the app registration blade:
- Added application ID URI
- Added the scope
access_as_user - Authorized the SPA client application with the scope
access_as_user
In the SPA app registration, I have done the following in Azure:
- "API permissions" in the app registration blade:
- Added and granted API
access_as_userpermission.
- Added and granted API
When I request the access token for the user, I notice that the audience assumes the following form:
"aud": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
rather than:
"aud": api://ID_OF_THE_API_ENDPOINT
I'm not sure if this is correct, nor do I know how I can get the correct audience, if it's incorrect.
When I'm requesting the OBO token in postman, I'm doing the following:
GET: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
Body:
- grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
- scope: api://ID_OF_THE_API_ENDPOINT/access_as_user
- client_secret: blabla
- assertion: user_access_token
- requested_token_use: on_behalf_of
- client_id: clinet_id
I have been over this multiple times, but I really can't seem to grasp what I'm missing.
I registered one API app registration and exposed an API by authorizing SPA client application with access_as_user scope:
In client SPA app registration, I added above custom API permission with consent like this:
For user access token, I used authorization code flow with PKCE that can be used as assertion value in OBO flow.
Initially, I ran below authorization request in browser and got code value in address bar after successful authentication:
https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?
client_id=SPAappId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope= api://xxxxxxxx/access_as_user
&code_challenge=xxxxxxxxx
&code_challenge_method=S256
Now, I used this code to generate access token using PKCE flow with below parameters via Postman:
POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientSPAappId
scope: api://xxxxxxxx/access_as_user
code: <paste_code_from_above_step>
code_verifier:S256
redirect_uri: https://jwt.ms
For acquiring on-behalf-of flow access token to call Microsoft Graph, I used below parameters via Postman:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:APIappID
client_secret:APIappSecret
scope: https://graph.microsoft.com/User.Read
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:<paste_token_from_above_step>
requested_token_use:on_behalf_of
You can now use this OBO token to call Microsoft Graph API as below:
GET https://graph.microsoft.com/v1.0/me/
Reference:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?