Incorrect audience claim using AppAuth for iOS and Azure AD

Question

I'm developing an iOS app which requires users to authenticate against an Azure AD (not B2C) and then use the JWT token to call a WebAPI.

I'm using the AppAuth library:

 OIDAuthorizationService.discoverConfiguration(forDiscoveryURL: url) { configuration, error in
   ...
}

And then

let request = OIDAuthorizationRequest(configuration: configuration, clientId:<NativeApp AppID>, scopes: [OIDScopeOpenID], redirectURL: redirectURL, responseType: OIDResponseTypeCode, additionalParameters: ["resource": "<WebAPI AppID>"])
OIDAuthState.authState(byPresenting: request, presenting: presentingViewController) { state, error in
  ...
}

But the problem is, my JWT token's audience claim has the AppID of my client, and not the AppID of the WebAPI, even though I'm passing the resource parameter with the WebAPI AppID.

As a result, my WebAPI is rejecting the JWT token as the audience claim is incorrect.

What do I need to do to have my JWT token's audience claim to be the WebAPI's AppID?

Can you check your HTTP traces to make sure the payload being sent to retrieve the token is right? — Shawn Tabrizi
It looks like it is, because if I put in an invalid resource AppID then I get an error saying that App cannot be found. — Adam Young
Further investigation shows that when the /authorize endpoint is called, the resource parameter is passed, but then when the /token endpoint is called, it's not. So the question is, how can you do this in AppAuth? — Adam Young

Adam Young Adam Young · Accepted Answer · 2017-09-08T08:28:57

When requesting access to another resource Azure AD returns you an ID token and an access token. I was using the ID token, which always has it's audience claim set to your client. Using the access token (which is also a JWT token) has the correct audience claim for the resource you're requesting access to.

Incorrect audience claim using AppAuth for iOS and Azure AD

1 Answers