How can I validate MSAL token on API Management?

0
votes

I have a desktop app which uses ADAL for authentication, this app make requests to an API on the API Management azure service. After migrating the code to use MSAL, the API Management returns 401 saying that my token is invalid. The only difference that I see spying the requests is that ADAL makes a request to this endpoint /tenantID/oauth2/token and MSAL /tenantID/oauth2/v2.0/token.

In my API Management I have this policy:

    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid. AAD" require-expiration-time="false">
         <openid-config url="https://login.microsoftonline.com/tenantID/.well-known/openid-configuration" />
    </validate-jwt>

I tried to change the well known url to v2.0 endpoint but get the same error. How can I validate the token using MSAL?

1
c#azure-api-managementmsal
May I know if it is helpful? If it helps, please accept it as answer, thanks. - Joy Wang-MSFT

1 Answers

1
votes

From the Note in the doc, when changing the well known url to v2.0, you may need to use common instead of tenantID.

<openid-config url="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />

Also, make sure you have done the step 10 in this link correctly:

If you use v2 endpoints, use the scope you created for the backend-app in the Default scope field. Also, make sure to set the value for the accessTokenAcceptedVersion property to 2 in your application manifest.