All geek questions in one place

AzureAD JWT Token Audience claim prefix invalidates JWT token

I am using the adal-node npm package to authenticate with AzureAD. This all works fine, and I am returning the token.

However, when considering the “aud” claim in the JWT token, I see that the audience GUID is prefixed with “spn:”. I think this causes me problems when I try to use the JWT token for an existing web API. When I authenticate through WebApp using the same AzureAD, the requirement for "aud" does not have the prefix "spn:", and I can call the endpoints in the WebAPI.

Can anyone shed some light on this? This is the last obstacle that needs to be overcome after many headaches begin to work.

Update:

Using the npm package 'azure-ad-jwt' to test a JWT token with AzureAD, as soon as I get it, gives me an error, which I suspected was a problem - "JWT audience is invalid." It is expected that the requirement "aud" will not have the prefix "spn:". Where is this spn prefix located?

Here is my app.js

var adal = require('adal-node');

var activeDirectoryEndpointUrl = 'https://login.microsoftonline.com/';

var options = {
    domain: '<AzureAD GUID>',
    activeDirectoryResourceId: '<AzureAD App Client ID 1>',
    clientId: '<AzureAD App Client ID 2>'
};

var tokenCache = new adal.MemoryCache();
var authorityUrl = activeDirectoryEndpointUrl + options.domain;
var context = new adal.AuthenticationContext(authorityUrl, true, tokenCache);

context.acquireUserCode(options.activeDirectoryResourceId, options.clientId, 'en-us', function (err, userCodeResponse) {
    if (err) {
        console.error(err);
        return;
    }

    console.log('Use a web browser to open the page ' + userCodeResponse.verificationUrl + ' and enter the code ' + userCodeResponse.userCode + ' to sign in.');

    context.acquireTokenWithDeviceCode(options.activeDirectoryResourceId, options.clientId, userCodeResponse, function (err, tokenResponse) {
        if (err) {
            console.error(err);
            return;
        }

        console.log(tokenResponse);
    });
});

JWT Decoded Token:

{
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"XXXXXXX",
    "kid":"XXXXXXX"
}
{
    "aud":"spn:XXXXXXX",    // <<< Offending claim
    "iss":"https://sts.windows.net/XXXXXXX/",
    "iat":1471355868,
    "nbf":1471355868,
    "exp":1471359768,
    "acr":"1",
    "amr":["pwd"],
    "appid":"XXXXXXX",
    "appidacr":"0",
    "e_exp":7200,
    "family_name":"XX",
    "given_name":"XX",
    "ipaddr":"XX.XX.XX.XX",
    "name":"XX XX",
    "oid":"XXXXXXX",
    "scp":"user_impersonation",
    "sub":"XXXXXXX",
    "tid":"XXXXXXX",
    "unique_name":"XXX@XXX.onmicrosoft.com",
    "upn":"XXX@XXX.onmicrosoft.com",
    "ver":"1.0"
}
+6
source share
2 answers

Still facing the same problem 2 years later. As @Adam Young wrote in the comments on his question - replace the audience ID with the audience URL, and this will solve the problem.

0
source

-, " " 1 Azure AD.

Azure AD SAML 2.0 SAML , , . :

URI, . Azure AD Issuer AuthnRequest, . , URI , .

, , Azure AD. , Issuer URI, Audience Issuer spn:.

, Azure AD SAML 2.0 :

  1. - URI
  2. , spn: .

1 SAML 2.0 <Issuer> URI, NameIDType, . , , Azure AD URI. , URI, , , .

0

Source: https://habr.com/ru/post/1651423/

More articles:


All Articles