Azure AD getting wrong token version

0
votes

My application is based on this example I'm receiving token in my wpf application form login and password like this:

result = await _app.AcquireTokenByUsernamePasswordAsync(Scopes, username, securePassword);

then I want to access to my secured web api. But when I try to access I get

AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint. Trace ID: 42aaa5f8-0a2c-4c3f-a593-1676fd662700 Correlation ID: efe97d3a-ca2f-4dfe-a50c-5c3f4accde9a Timestamp: 2019-01-20 15:52:16Z

here

AuthenticationResult result = application.AcquireTokenOnBehalfOfAsync(scopes.Except(_scopesRequestedByMsalNet), userAssertion).GetAwaiter().GetResult();

What I just found out is that AcquireTokenOnBehalfOfAsync gives v1 or v2 for different registered native applications. I cannot find the difference in configurations on azure between the 2 apps.

3
c#azureasp.net-web-api2azure-active-directory
What have you done to troubleshoot the issue? You received a specific error message. Have you looked into solving that error?Daniel Mann
You are asking for a token from the V1 endpoint (ADAL) and trying to use it with an application that uses the V2 endpoint (MSAL).Camilo Terevinto
@camiloterevinto I guess end point version is set here _app = new PublicClientApplication(aadClientId, authority); Authority is "login.microsoftonline.com/organizations/v2.0"amplifier
@danielmann Ask me better what I didn't do :)amplifier

3 Answers

2
votes

In the Azure portal, the App registrations (Preview) is to register an app in the v2 endpoint, the App registrations is to register an app in the v1 endpoint.

The v1 authorization endpoint is like:

> https://login.microsoftonline.com/tenantid/oauth2/authorize?

v1 token endpoint:

https://login.microsoftonline.com/tenantid/oauth2/token

The v2 authorization endpoint is:

https://login.microsoftonline.com/tenantid/oauth2/v2.0/authorize

v2 token endpoint is:

https://login.microsoftonline.com/tenantid/oauth2/v2.0/token
1
votes

I got the same error, finally i figured it out. If you add the client app from Azure AD app registration preview it will give you the v1.0 access token, I created a new client using https://apps.dev.microsoft.com/, it is returning v2.0 end point. At least it worked for me.

Refer picture below, My angular app under converged applications giving me v2.0 token & traffic-lightapp-test under azure ad application is giving me v1.0 token

My angular app under converged applications giving me v2.0 token & traffic-lightapp-test un is giving me v1.0 token

0
votes

Finally got it work.

So, what we have: Native client (name: WpfApp), web api (name: WebApiApp)

Now we want to get access token using login, password and scopes!

Assume our config is:

<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}/v2.0"/>
<add key="ida:Tenant" value="organizations"/>
<add key="ida:ClientId" value="xxx-xxx-xxx-xxx"/>
<add key="todo:TodoListScope" value="https://ourdomain.onmicrosoft.com/WebApiApp/access_as_user"/>

To make it work you need to set in WpfApp manifest (not just in WebApiApp manifest) accessTokenAcceptedVersion:2