V2 validateTokenClaims and AUD Prefix

[mellanox-is]

Hello!

oauth2-azure v1.x supported URI form of Client ID:

$provider = new Azure(['clientId' => 'api://XXXX-XXXXX']);

In oauth2-azure v.2 src/Provider/Azure/validateAccessToken/getJwtVerificationKeys/getOpenIdConfiguration we have:

$openIdConfigurationUri = $this->urlLogin . $tenant . $versionInfix . '/.well-known/openid-configuration?appid=' . $this->clientId;

this requires us to put clientID without prefix in Provider init:

$provider = new Azure(['clientId' => 'XXXX-XXXXX']);

Otherwise, with URI form, we get error from Azure: "invalid_request AADSTS90112: Application identifier is expected to be a GUID"

But then we can't validate access tokens tokens from frontend app cause AUD claim is always in URI form and is different from ClientId

'api://XXXX-XXXXX' is not equal to 'XXXX-XXXXX'

public function validateTokenClaims($tokenClaims) {
    if ($this->getClientId() != $tokenClaims['aud']) {
        throw new \RuntimeException('The client_id / audience is invalid!');
    }
   ....
}

it always fails

There should be fallback to URI form of the Client ID

[Keized]

Hi,

This value is managed by the manifest of your application in Azure. Go to the Azure portal of your application > Manage > Manifest. The value of accessTokenAcceptedVersion is probably set to null. If you set the value to 2 then the AUD won't be prefixed.

source