Azure active directory - Allowed token audiences

24
votes

I am trying find documentation on "ALLOWED TOKEN AUDIENCES" in Azure, but there does not appear to be any. The value that I have placed in there was the resourceid that was returned with the token.

What does this mean? any link to documentation will be much appreciated.

PS. the learning link on the actual page mentions nothing about this, and the screenshots appear to be older and do not have this field.

thanks in advance

enter image description here

4
azureazure-active-directory
I've been doing Azure AD authentication manually all this time, so I'm not quite sure about this one. Allowed audiences in Azure AD terms usually means "The values of the aud claim that we will consider valid for this API". So if someone calls your API that is protected by Azure AD, the aud claim in the token must match one of the defined ones here. You probably should not put the Azure AD Graph client id there :) - juunas
The ID looks like the resource ID for the Azure Graph API. Meaning that, as @juunas said, your application has some permissions to use that API. - RasmusW
Found this, and posted a comment asking what documentation she edited: github.com/MicrosoftDocs/azure-docs/issues/12377 - Tracy

4 Answers

13
votes

I've been stumbling around the documentation, too. Here's what I've gotten to work with an Angular Front-end app that consumes a back-end API app.

In the front-end app, the user clicks a link and authenticates with Azure Directory. The token is kept in session in the browser.

Next, the user wants to interact with the API app.
Here's how:

  • Go to the API App's App Service in Azure.
  • Navigate to Authentication/Authorization
  • Turn "ON" App Service Authentication
  • Under Authentication Providers Select "Azure Active Directory"
  • Choose "Advanced" button
  • In the Client ID field insert the "Application ID" from your API App's Azure Active Directory App Registration. You should have registered the API app in Azure Active Directory, already.
  • In the "Allowed Token Audiences" field insert the "Application ID" from your front-end app's Azure Active Directory App Registration. You should have registered the front-end app in Azure Active Directory, already.

Security is so important. It blows my mind how confusing the documentation is around this stuff. Owin/Katana looks like it's on the way out. Based on this configuration, you wont need any of it. The other sign that Owin is a goner is the massive breaking change related to Microsoft/System IdentityModel that seems impossible build, discern, fix, yada yada. I wish Microsoft would create an "endpoint" that would show what's out and what's in. and how to do this particular step. If you can get your apps to do this, it's real clean.

enter image description here

4
votes

Fast forward to 2020, and there is now some explanation on this parameter. (added in 2019)

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-enable-azure-active-directory-in-your-app-service-app

Allowed Token Audiences

If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. The configured Client ID is always implicitly considered to be an allowed audience.

3
votes

In my experience, the value of this field (or one of the values) has to match what is in the "audience" field of the token that is being sent to your service (juunas said as much as a comment on the question above). bwmartens suggestion above to use the app id URI sounds like it would work but the current version of the AAD registration blade in the Azure portal does not list an "App ID URI" value nor does there appear to be a "Settings -> Properties" anymore (the site keeps changing).

In my case, just putting the application ID did not work. I have found that the two most straightforward ways to find the value needed here are:

  1. Go to the AAD registration for your service and look in the manifest at the "identifierUris" field. In my experience, the value here should match the value that you put in the Allowed Token Audiences list.
  2. Get a JWT that you are sending to your service and decode it (e.g. using http://jwt.calebb.net/) and look at the value of the "aud" field. Put that in the Allowed Token Audiences list.
1
votes

The error : JWT validation failed: IDX10214: Audience validation failed. Audiences:.... indicates that the allowedAudiences ARM configuration on your App Service needs to be corrected.

how to correct: The simplest way to do this is via https://resources.azure.com/. Drill down into the App Service resource > config > authsettings and correct the value(s) as below:

"allowedAudiences":[
"https://<site>.azurewebsites.net"
  ]

OR

you can navigate to portal and click on Advanced section of authentication and update the Allowed Token Audiences with the value of web app. With the current app service changes, it can be done automatically but good to check this configuration.

Currently most of people might be using OAuth 2.0 and for them the allowed token audience should get updated with the value of app registration id.

Please note that you can update Azure AD=> App registration => Expose an API => value of web app and that should work for you.

The value 00000002-0000-0000-c000-000000000000 represents Microsoft.Grpah resource but token should be issued for right resource to perform authorization.