Audience is incorrect in access token

[cccs-cat001]

Hi there,

I've been playing around with the webapp-example. I'm trying to get the groups claim to show up in the access token, but it won't for whatever reason. It shows up fine in the ID token. I was discussing with a coworker, and he mentioned that the audience is set to some microsoft default: "00000003-0000-0000-c000-000000000000", but it should be the client_id. I spent a few hours digging through and I can't for the life of me figure out where that's coming from. Any ideas?

[sangonzal]

@cccs-cat001 What resource are you acquiring a token? If it's Microsoft Graph, the audience will be what you stated. The "aud" (audience) claim identifies the recipients that the JWT is intended for.

The client should not really be looking into the access token. What are you trying to accomplish?

[cccs-cat001]

I'm not going with Microsoft Graph, I have an app registration in my tenant. I provide the client id, the tenant id, and client secret, and it gives me back the microsoft graph token. I'm looking into the access token to make sure that the optional group claim that I added to the app registration makes it into the access token, which I found was not happening. I want to limit access to my app based on group membership.

[sangonzal]

@cccs-cat001 You should not be looking at the access token, as the access token is meant for the resource (Graph in your case), and not the client (your app). You can just use the claims in the id token in your case. Here is an interesting article explaining why you the client should not peak at access tokens

Here is a sample showing how to do what you are trying to accomplish: .NET sample

[sangonzal]

Closing, feel free to re-open in case of any other questions.

[jcarrera94]

@sangonzal you are right, the only reason why I peak is to verify if the access token was requested properly. for example I am using the msal library for react and it is returning the wrong authentication token so i cant use the access token with the resource I am trying to hit (microsoft graph and sharepoint api). I am adding the correct scopes to my login request and also within the app registration in AD Azure portal.