microsoft-authentication-library-for-js: Invalid Issuer (iss: sts.windows.net) when acquiring token
I’m submitting a…
- Regression (a behavior that used to work and stopped working in a new release)
- Bug report
- Performance issue
- Feature request
- Documentation issue or request
- Other… Please describe: Help
Browser:
- Chrome version XX
- Firefox version XX
- IE version XX
- Edge version XX
- Safari version XX
Library version
Library version: 0.2.4
Current behavior
The acquired access_token
appears to have the wrong issuer, and my ASP.NET Core API rejects the token due to The issuer is invalid
.
The decoded access token looks like:
{
"aud": "api://{clientId}",
"iss": "https://sts.windows.net/{tenantId}/",
...
"ver": "1.0"
}
Shouldn’t the token issuer be: https://login.microsoftonline.com/{tenantId}/v2.0
? Is this an issue with my Azure AD, or a MSAL.js configuration issue?
When I change to my API options to o.TokenValidationParameters.ValidateIssuer = false;
it works fine. The registered app is meant to be isolated to a single AAD tenant.
Expected behavior
The access token’s issuer should be: https://login.microsoftonline.com/{tenantId}/v2.0
Minimal reproduction of the problem with instructions
When I use MSAL.js to acquire token via:
msal = new msal.UserAgentApplication(
'{clientId}',
'https://login.microsoftonline.com/{tenantId}',
() => {},
{
redirectUri: 'http://localhost:3001/',
storeAuthStateInCookie: true,
cacheLocation: 'sessionStorage'
}
);
msal.acquireTokenSilent(['api://{cliend-id}/my-scope']).then(
(accessToken) => {
console.log(accessToken);
return accessToken;
},
() => {
// Open a redirect page in case the token is bad
...
}
);
The returned access token is:
{
"aud": "api://{clientId}",
"iss": "https://sts.windows.net/{tenantId}/",
...
"ver": "1.0"
}
When I use the accessToken to hit my ASP.NET Core Web API, I get a response with error="invalid_token", error_description="The issuer is invalid"
.
When I configure the API to skip checking the issuer, the API calls works fine.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 29 (6 by maintainers)
I believe this is a configuration issue in the Azure AD App Registration. There is a field called
accessTokenAcceptedVersion
then when leftnull
defaults to v1.0. It must be changed to2
so that tokens are generated in the v2.0 format.@mpalumbo7 Thank you for this hint. I’ve updated Azure App manifest file with the
"accessTokenAcceptedVersion": 2,
and it started to generate correct token.The most strange thing is getting v1.0 token if I’m asking for token from the
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
endpoint…@jasonnutter I understand that, but I find it strange that by default, the issuer in the token doesn’t match the one in the metadata. If you just rely on the metadata to configure token validation (which I usually do), it’s broken by default; that’s hardly ideal…
@tinodo this is not accurate. When an API (the resource AKA target AKA scope-owner of the access token) changes their token version, it does change the issuer of the access tokens issued for that API. Every API sets this differently, so depending on the API you plan to call, you may get tokens with different issuers and token versions. If you have encountered behavior that runs opposite to this I’d love to investigate it as it means we have issues in our token service.
ID tokens are issue based on the endpoint used, so all ID tokens issued to MSAL will be v2.0 and have the login.microsoftonline.com issuer.
For reference:
So @saurabhjain-MA - can you clarify that you are getting a token for the same resource in both calls? And that both are access tokens? And they have different issuers?
As a closing reminder - only the app in the audience of a token should ever, ever, ever look inside the access token. Access tokens are completely and utterly controlled by the API, and never, in any way, by the client requesting them. They can be encrypted, change versions, or have claims added or removed without warning to you. If your app takes a dependency on the format or on validating tokens for other applications, you have a potential security issue and a guaranteed reliability issue.