Getting IDX10205 when accessing backend api from frontend

0
votes

I'm trying to set up a frontend React app service and a backend Node app service, which both require authentication, according to this tutorial. I've followed the steps except that I needed to set "loginParameters": ["response_type=code id_token", "scope=openid api://<backend app id>/user_impersonation"] instead of additionalLoginParams since my app uses auth v2.

When my frontend app calls my backend api I get the following error

{"code":401,"message":"IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."}

I don't know how to debug this as the useful information in the response is hidded and I can't find a way to show it when using Node. I have inspected the token and the issuer is https://sts.windows.net/<tenant id>/, but I don't know what's expected or how to set ValidIssuer.

What I do for authentication code-wise is calling /.auth/me from frontend after login to receive an access token and this token is passed to the backend api in the header as Authentication: Bearer <access_token>. I'm expecting Azure to handle everything else according to the settings made in the linked tutorial. Is this correct?

How can I debug this issue?

EDIT

This is how the Expose an API page of backend app registration looks.

enter image description here

This is the data of my access token.

enter image description here

1
node.jsazureazure-active-directoryazure-web-app-service
There's a configuration setting which makes the PII hidden by default. You can change that setting to see this information in the error message. - Gaurav Mantri
@GauravMantri Where do I find this setting? - Anton
Sorry, I was not clear earlier. Can you share the name and version of the SDK you're using for authentication/authorization? It's a setting in the SDK. - Gaurav Mantri
@GauravMantri I'm not using an SDK for authentication. I've restricted access from Azure portal and I call /.auth/me to get my token as mentioned in the question. - Anton
1. Remove the api:// prefix scope=openid {back-end api client id}/.default 2. Provide me with a screenshot of your expose an api. - Carl Zhao

1 Answers

1
votes

Your question has been resolved, post it as the answer to the end of the question.

As I said in the comments, you need to obtain the 2.0 version of the token. So you need to change the accessTokenAcceptedVersion attribute of the application manifest to: "accessTokenAcceptedVersion": 2.