Asp.Net Core Azure AD V1.0 JWT Authentication Invalid Signature

Question

I have to make an ASP.NET Core 2.0 Web API application which uses the resources of Microsoft Graph. I tried to make the app use JWT authentication with the following properties:

Audience: "CLIENT_ID";
Authority: "https://login.microsoftonline.com/TENANT_ID"

The idea here is that I have a SPA app which uses ADAL to get an access token which should be used for authentication in the Web API. The acquired token authenticates successfully in Microsoft Graph Requests but fails the JWT authentication. The Unauthorized Response Error is:

Invalid Signature

Here is the deserialized token:

{
  "typ": "JWT",
  "nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzXF_CqRIDpjJHoJWBZWfqGU15M5j1xqsBga7obz1SUDjg3Ft56m4bTqls5nSs1T0ymPVzRTHZ7osxohQx9iRClSAA",
  "alg": "RS256",
  "x5t": "z44wMdHu8wKsumrbfaK98qxs5YI",
  "kid": "z44wMdHu8wKsumrbfaK98qxs5YI"
}.{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/TENANT_ID/",
  "iat": 1515769573,
  "nbf": 1515769573,
  "exp": 1515773473,
  "acr": "1",
  "aio": "Y2NgYHjhxRdU0DHj52u1ANkNv4qnVYoUbA2vYDu/dHHH1UcTUiwA",
  "amr": [
    "pwd"
  ],
  "app_displayname": "APP_NAME",
  "appid": "CLIENT_ID",
  "appidacr": "0",
  "e_exp": 262800,
  "ipaddr": "80.72.72.11",
  "name": "NAME",
  "oid": "USER_ID",
  "platf": "3",
  "puid": "1003BFFDA650568E",
  "scp": "Directory.ReadWrite.All EduAssignments.ReadWrite Mail.Send User.Read User.ReadBasic.All User.ReadWrite.All",
  "sub": "60Oat50bmTi24tObKrBPrjIpotUdZkUl5h0x0I6dLi0",
  "tid": "TENANT_ID",
  "unique_name": "UNIQUE_NAME",
  "upn": "UPN",
  "uti": "9z7lfwGNmkmqEO7KpWcKAA",
  "ver": "1.0"
}.[Signature]

Jwt.ms says it is an Azure AD V1.0 Token. So it should be somewhat valid. I tried acquiring an Azure AD V2.0 token with MSAL which authenticates successfully in the Web API but fails when trying to make Graph Requests. What am I doing wrong?

EDIT I changed my configuration to use v2.0 token again an then tried using @juunas's guide to get a graph access token like this:

var userAssertion = new UserAssertion(token, assertionType, email);

var authContext = new AuthenticationContext("https://login.microsoftonline.com/common/v2.0");
var clientCredential = new ClientCredential("CLIENT_ID", "CLIENT_SECRET");
//Acquire access token
var result = await authContext.AcquireTokenAsync("https://graph.microsoft.com", clientCredential, userAssertion);
string graphToken = result.AccessToken;

but the AcquireTokenAsyncMethod throws the following error:

The token issuer doesn't match the api version: A version 2 token can only be used with the v2 endpoint

I find this really weird since everything is now configured for v2.0 and my token is a valid Azure AD v2.0 token with an issuer: https://login.microsoftonline.com/TENANT_ID/v2.0

Answer 1

You need a separate access token for your API.

An access token from Azure AD is always only meant for a single API/resource.

Also, if you need to call MS Graph API from your API, you may want to look into the On-Behalf-Of grant: https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core .

The basic idea of that flow is that when your API gets a call containing an access token that has user context, you can exchange that token + your API's credentials for a new access token for another API that still has the same user's context.