Getting default aud claim value in access token. How can I get client ID/app ID uri in aud claim?

Question

I have created two app registration in azure ad identity service. First one as api ( for Web Rest API) and second one as client ( Web Application). Means generated secret key for client and generated app ID uri for api app registration. Then given access to api to client registration. I have used single tenant option and added client ID as known client in manifest of api registration.

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id=sample_client_id&response_type=code&redirect_uri=http://localhost/login/oauth2/code/azure&response_mode=query&scope=email openid offline_access

When I am calling authorize endpoint (v2.0) with "clientid" and "scope(email, openid, offline_access)" then getting temporary Authorization code. Using that temporary code I am requesting for access token using token endpoint using grant type "Authorization_code" and passing same scope and client ID.

When I am debugging this access token then I am not getting client ID in aud claim. I want to use this token to generate on_behalf_of token for API by passing this access token as assertion to token endpoint. I am passing appiduri as scope to this obo request. So that I can use this newly generated access token to call API from client app.

ConfidentialClientApplication clientApp = ConfidentialClientApplication
            .builder(clientId, ClientCredentialFactory.createFromSecret(clientSecret)).authority(authority).build();
    
    Set<String> scopes = new HashSet<>();
    scopes.add(appIdUri + "/.default");
    UserAssertion assertion = new UserAssertion(accessToken);
    OnBehalfOfParameters params = OnBehalfOfParameters.builder(scopes, assertion).build();      
    CompletableFuture<IAuthenticationResult> result = clientApp.acquireToken(params);
    String userInfoAccessToken = result.get().accessToken();

I am getting error from token endpoint.

I am using spring and msal Java library for implementation.

Please help how can I get correct aud claim or can generate obo token for api.

Answer 1

I created an BackendApp and Exposed an API like below:

In FrontendApp, granted below API permissions:

In OBO flow, the web API is used as an identity and then it is used to call any other Web API.

I generated authorization code by using below endpoint:

Make sure to use scope as api://ClientID/.default

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=FrontendClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://BackendID/.default
&state=12345

I generated access token using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://WebAPIID/.default
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret

Note that: Using the OBO flow and passing the above access token as assertion you can call any API such as web API or Microsoft Graph.

For sample, I added API permissions in the BackendApp so I can call the Web API:

I used the OBO flow to generate access token for Web API:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:access_token
requested_token_use:on_behalf_of
scope:api://WebAPIClientID/.default

When I decoded the access token the aud is ClientID:

If you want to call user endpoint, then pass the scope as https://graph.microsoft.com/.defaut while generating the access token in OBO flow,

To do the same in Spring and Java, refer the below GitHub Blog:

ms-identity-java-webapi/README.md at master · Azure-Samples/ms-identity-java-webapi · GitHub by sangonzal