无法对 Azure AD 中的自定义 API 进行身份验证（JWT 令牌问题）

Question

I have a JWT token issue when trying to the use the AadHttpClientFactory within the SharePoint Framework (SPFx). I have a custom AAD App registration that is setup to allow implicit grant flow. I have another app service running a small .netcore API that requires authentication. My API is not setup to authenticate the user, rather it validates the token coming from the Authorization header using the following Azure AD values.

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "domain.onmicrosoft.com",
    "TenantId": "09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx",
    "ClientId": "f46a1554-7fd9-4627-xxxx-xxxxxxxxxxxx",
    "ClientSecret": "xxxx-xxxxxxxxxxxx",
    "Issuer": "https://login.microsoftonline.com/09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx/v2.0"
  }

I have my SPFx service setup to fetch the client like this: this.aadHttpClientFactory.getClient("api://URI").

It then calls my custom service, but no matter what I do I get a 401.

If I use the following URL to fetch a token and use it to hit my service it works fine:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&response_type=id_token&redirect_uri=https://localhost:5001&scope=openid&response_mode=fragment&state=12345&nonce=678910

So, I inspected both JWT tokens (one coming back from SPFX and one I generate using the URL above). They are vastly different. The token I get back from SPFx has much more information in it and the Issuer is https://sts.windows.net/<tenant-id> but my API is looking for https://login.microsoftonline.com/<tenant-id>/v2.0 as the issuer. I feel that the issuer is where it is failing but I have tried updating my API to use the issuer that is coming back from SPFx and it still doesn't work. Any ideas?

Answer 1

Found this post that said the audience was invalid. I was able to find the same error inside my response. I updated my client ID to match my api URI of api:// and it worked.

Azure AAD - The audience is invalid