Solvedmicrosoft authentication library for js Invalid Issuer (iss: when acquiring token

I'm submitting a...

  • Regression (a behavior that used to work and stopped working in a new release)
  • Bug report
  • Performance issue
  • Feature request
  • Documentation issue or request
  • Other... Please describe: Help


  • Chrome version XX
  • Firefox version XX
  • IE version XX
  • Edge version XX
  • Safari version XX

Library version

Library version: 0.2.4

Current behavior

The acquired access_token appears to have the wrong issuer, and my ASP.NET Core API rejects the token due to The issuer is invalid.

The decoded access token looks like:

  "aud": "api://{clientId}",
  "iss": "{tenantId}/",
  "ver": "1.0"

Shouldn't the token issuer be:{tenantId}/v2.0? Is this an issue with my Azure AD, or a MSAL.js configuration issue?

When I change to my API options to o.TokenValidationParameters.ValidateIssuer = false; it works fine. The registered app is meant to be isolated to a single AAD tenant.

Expected behavior

The access token's issuer should be:{tenantId}/v2.0

Minimal reproduction of the problem with instructions

When I use MSAL.js to acquire token via:

msal = new msal.UserAgentApplication(
      () => {},
        redirectUri: 'http://localhost:3001/',
        storeAuthStateInCookie: true,
        cacheLocation: 'sessionStorage'

      (accessToken) => {
        return accessToken;
      () => {
        // Open a redirect page in case the token is bad

The returned access token is:

  "aud": "api://{clientId}",
  "iss": "{tenantId}/",
  "ver": "1.0"

When I use the accessToken to hit my ASP.NET Core Web API, I get a response with error="invalid_token", error_description="The issuer is invalid".

When I configure the API to skip checking the issuer, the API calls works fine.

30 Answers

✔️Accepted Answer

I believe this is a configuration issue in the Azure AD App Registration. There is a field called accessTokenAcceptedVersion then when left null defaults to v1.0. It must be changed to 2 so that tokens are generated in the v2.0 format.

Other Answers:

@mpalumbo7 Thank you for this hint.
I've updated Azure App manifest file with the "accessTokenAcceptedVersion": 2, and it started to generate correct token.

The most strange thing is getting v1.0 token if I'm asking for token from the{tenant}/oauth2/v2.0/token endpoint...