Access Token giving different AUD?

Question

I'm trying to authenticate with API Management in Azure through OAuth. I've set up that piece fine.

I've got an OAuth2 Implicit login flow happening where I get an ID Token and Access Token (response_type=id_token+token). When I check aud in the returned access token, I get the default Graph API aud (00000003-0000-0000-c000-000000000000) instead of my Client ID, which I need to use to authenticate with the API Management piece.

This needs to stay behind OAuth as it's an internal app, something that I don't want to let loose on the public. I'm using an implicit flow because the webpage is a SPA hosted on Blob.

If you are getting a Graph access token, then your scope/resource is probably pointing at Graph API. Could you show what you have configured as the scope/resource? — juunas
I'm not sure what you mean by scope/resource - the URL I'm getting the token from? It looks like: login.microsoftonline.com/<tenant-id>/oauth2/v2.0/… — hjfitz
The scope query parameter in that URL :) Looks like you only specified openid. You should specify in addition a valid scope for your app. You can find and create these in the Expose an API section of the app registration. — juunas

Joey Cai Joey Cai · Accepted Answer · 2020-02-11T14:05:38

As junnas said, if you want to get the aud of your clientId, you need to add valid scope for your app.

Go to Expose a scope of your app registered in azure ad, and Add a scope.

And add the scope in the url like below:

https://login.microsoftonline.com/xxxx/oauth2/v2.0/authorize?
client_id=xxxxx
&response_type=id_token+token
&redirect_uri=https://localhost:123
&scope=openid api://xxxxxxxxxxxxxxxxxxxxxx-a3aab90df9fc/webread
&response_mode=fragment
&state=12345
&nonce=678910

Then decode the access token, you will get the client id in aud:

Access Token giving different AUD?

1 Answers