Open shawnhankim opened 1 year ago
There are two main types of Azure AD access token, summarised below, and our problem is that we are using the wrong type of token:
Audience | Description -- | -- Microsoft APIs | These contain a nonce field in the JWT header and are not designed for custom APIs such as ours to validate Custom APIs | Custom APIs need to get a token that can be validated, and we are not yet configured to enable this
Issue:
Most of IdPs'
$oidc_jwt_keyfile
endpoint works for access token validation. But Azure AD doesn't work as the following message:To solve the
#1
, we can add"[CLIENT_ID]/.default"
in authorization endpoint of Azure AD.However, the access token doesn't work for
userinfo
endpoint as a Bearer in the header of API request although the validation works.To successfully get 200 response from the
/userinfo
endpoint, we either can remove the scope in the authorization endpoint or find to solve invalid audience.References: