microsoft-identity-web: [Bug] Bearer error="invalid_token", error_description="The issuer '(null)' is invalid" in v1.14.0

Which version of Microsoft Identity Web are you using? v1.14.0

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app? This is an app under active development for which I have successfully used v1.12.0.

Repro As there is no change in my code, the repro would be to update a working Web API from v1.12.0 to v1.14.0 and observe that it suddenly fails to validate tokens generated by both Postman v8.7.0 and MSAL for Angular:

"@azure/msal-angular": "^2.0.0",
"@azure/msal-browser": "^2.14.2",

On the server side, I am using ASP.NET Core 5.0 with the following configuration:


"AzureAd": {
  "Instance": "",
  "ClientId": "[guid]",
  "ClientSecret": "[removed]",
  "TenantId": "organizations"

Startup.ConfigureServices(IServiceCollection services)


services.AddAuthorization(options =>
    options.AddPolicy("MinimumScope", policy => policy.RequireClaim("scp", "access_as_user"));

Startup.Configure(IApplicationBuilder app, IWebHostEnvironment env)

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    if (env.IsDevelopment())



    // The UseCors call must be placed between UseRouting and UseAuthentication.
    // See


    // Custom middleware must be placed between UseAuthorization and UseEndpoints.

    app.UseEndpoints(endpoints =>
        // Require callers to be authenticated and have the minimum scope claim.

With app.UseRoleBasedAccessControl(), I am inserting my own custom middleware into the pipeline. With v1.14.0, the requests no longer reach my custom middleware.

I’ve successfully decoded and validated the tokens using both and

  "aud": "api://[guid]",
  "iss": "[guid]/",
  "iat": 1626041859,
  "nbf": 1626041859,
  "exp": 1626045759,
  "acr": "1",
  "aio": "[removed]",
  "amr": [
  "appid": "[guid]",
  "appidacr": "0",
  "email": "[email]",
  "family_name": "Barnekow",
  "given_name": "Thomas",
  "ipaddr": "[IP]",
  "name": "Thomas Barnekow",
  "oid": "[guid]",
  "preferred_username": "[email]",
  "rh": "[removed]",
  "scp": "access_as_user",
  "sub": "[removed]",
  "tid": "[guid]",
  "unique_name": "[email]",
  "upn": "[email]",
  "uti": "[guid]",
  "ver": "1.0"

As you see, the iss claim is not null. I am wondering why I am getting "ver": "1.0" tokens and do not know how to change that or whether that is an issue.

Expected behavior Token validation works as in v1.12.0 and no error is returned.

Actual behavior With v1.14.0, the Web API only returns error responses with status code 401 Unauthorized and a WWW-Authenticate header with a value of Bearer error="invalid_token", error_description="The issuer '(null)' is invalid".

Other information This issue is likely related to #1167. I added a comment and only then saw it was already closed. However, it seems the root cause is not removed.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 25

Most upvoted comments

@jlpstolwijk : I tried organizations too

Actually sorry, I had changed it on the client web app, not the web API. We can repro it. Thanks so much!

Thanks @ThomasBarnekow for the heads-up and detailed repros. We might have overlooked a case, when we have done We’ll have a look

Meanwhile, if you want to set the access token version of your web API to v2.0, you need to do it in the app registration. See