I have an ASP.NET Core API, where I want to use Azure AD authentication. I have created an App Registration and provided the config below for my API:
"AzureAd": {
"TenantId": "<tenantid>",
"ClientId": "api://<clientid>", // tried it with only the guid clientid as well
},
Authentication config (App registration exposed API scope provided):
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
options.RequireHttpsMetadata = false;
options.Audience = Configuration["AzureAd:ClientId"];
options.Authority = "https://login.microsoftonline.com/" + Configuration["AzureAd:TenantId"];
})
My problem is, that when I log in to azure AD, the audience in my token will be 00000002-0000-0000-c000-000000000000 (Id of AAD Graph API), instead of the client id of the App registration.
I am using swagger to test the authentication:
app.UseSwaggerUi3(config =>
{
config.OAuth2Client = new NSwag.AspNetCore.OAuth2ClientSettings
{
ClientId = Configuration["AzureAd:ClientId"],
ClientSecret = string.Empty,
UsePkceWithAuthorizationCodeGrant = true,
ScopeSeparator = " "
};
});
swagger document config:
services
.AddOpenApiDocument(c =>
{
c.AddSecurity("OAuth2", new OpenApiSecurityScheme
{
OpenIdConnectUrl = $"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
Scheme = "Bearer",
Type = OpenApiSecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/authorize",
TokenUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/token",
Scopes = new Dictionary<string, string>
{
{ "api://<client id>/Api.Read", "api://<client id>/Api.Read" }
}
}
}
});
})
https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token
– juunas