Closed husseinkorly closed 4 years ago
jmprieur
commented
4 years ago @husseinkorly: looking at your appsettings.json
you've used the certificate as Client certificates (which is used when you call a downstream API), whereas you'd want to use it as a TokenDecryptionCertificates:
https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates#decryption-certificates
We have other partners who successfully use it, so I'd be surprised if the library still cannot handle them.
husseinkorly
commented
4 years ago @jmprieur ,
I changed ClientCertificates to TokenDecryptionCertificates and still having the same issue.
jmprieur
commented
4 years ago @husseinkorly : would you have a repro that I could use (your repo https://github.com/husseinkorly/todo-service-aadv2 does not have the change yet) What error do you see in the web API?
husseinkorly
commented
4 years ago @jmprieur,
sorry for the confusion, but I found that I was setting the Audience incorrectly, and it worked after fixing that.
Thank you
jmprieur
commented
4 years ago Thanks for the update, @husseinkorly We're glad you unblocked yourself.
Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version.
Where is the issue?
Is this a new or an existing app? This is a new API that accepts v2 encrypted token
Repro https://github.com/husseinkorly/todo-service-aadv2
Expected behavior The first-party documentation recommending to use this library and pointing to this page Updating the sample (MSAL 3.x with builders) to show how to support JWE to handle encrypted AAD tokens. I also checked this wiki page on how to use certificates to decrypt tokens in protected API. The code in the repo above is just sample code that I was expecting to use to handle authentication.
Actual behavior Calling the API with an encrypted token, and getting 403. The middleware not able to decrypt the token.
Possible solution The library still cannot handle JWE tokens