Question

Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com

I'm trying to validate an access token obtained from azure active directory.

I obtained the token from https://login.microsoftonline.com/{{my tenant guid}}/v2.0

The issuer in the token that comes back is https://sts.windows.net//{{my tenant guid}}/ which doesn't match.

If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....

I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

The advice is to manually edit the manifest's json in the application registration in AAD and set "accessTokenAcceptedVersion": 2.

I've done this but it has made no difference. Why?

 48  38673  48
1 Jan 1970

Solution

 36

So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.

And yes the audience is always the client id based on my tests in v2 tokens.

2020-01-18

Solution

 6

If you are authenticating an api, then add the follow code in startup class:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
   {
      options.Authority  = "https://login.microsoftonline.com/<TenantId>/v2.0";
      options.Audience   = "<Audience>";
      options.TokenValidationParameters.ValidIssuer 
                         = "https://sts.windows.net/<TenantId>/";
   });

The code above, inform the correct Issuer.

2022-01-17