V2 validateTokenClaims and AUD Prefix

Question

V2 validateTokenClaims and AUD Prefix

Opened this issue 10 months ago · 1 comments

Hello!

oauth2-azure v1.x supported URI form of Client ID:

$provider = new Azure(['clientId' => 'api://XXXX-XXXXX']);

In oauth2-azure v.2 src/Provider/Azure/validateAccessToken/getJwtVerificationKeys/getOpenIdConfiguration
we have:

$openIdConfigurationUri = $this->urlLogin . $tenant . $versionInfix . '/.well-known/openid-configuration?appid=' . $this->clientId;

this requires us to put clientID without prefix in Provider init:

$provider = new Azure(['clientId' => 'XXXX-XXXXX']);

Otherwise, with URI form, we get error from Azure:
"invalid_request AADSTS90112: Application identifier is expected to be a GUID"

But then we can't validate access tokens tokens from frontend app cause AUD claim is always in URI form and is
different from ClientId

'api://XXXX-XXXXX' is not equal to 'XXXX-XXXXX'

public function validateTokenClaims($tokenClaims) {
    if ($this->getClientId() != $tokenClaims['aud']) {
        throw new \RuntimeException('The client_id / audience is invalid!');
    }
   ....
}

it always fails

There should be fallback to URI form of the Client ID

Answer 1 · 2024-03-01T13:18:29.000Z

Hi,

This value is managed by the manifest of your application in Azure.
Go to the Azure portal of your application > Manage > Manifest.
The value of accessTokenAcceptedVersion is probably set to null.
If you set the value to 2 then the AUD won't be prefixed.

source