Solvedmicrosoft authentication library for js Invalid Issuer (iss: sts.windows.net) when acquiring token

I'm submitting a...

  • Regression (a behavior that used to work and stopped working in a new release)
  • Bug report
  • Performance issue
  • Feature request
  • Documentation issue or request
  • Other... Please describe: Help

Browser:

  • Chrome version XX
  • Firefox version XX
  • IE version XX
  • Edge version XX
  • Safari version XX

Library version

Library version: 0.2.4

Current behavior

The acquired access_token appears to have the wrong issuer, and my ASP.NET Core API rejects the token due to The issuer is invalid.

The decoded access token looks like:

{
  "aud": "api://{clientId}",
  "iss": "https://sts.windows.net/{tenantId}/",
  ...
  "ver": "1.0"
}

Shouldn't the token issuer be: https://login.microsoftonline.com/{tenantId}/v2.0? Is this an issue with my Azure AD, or a MSAL.js configuration issue?

When I change to my API options to o.TokenValidationParameters.ValidateIssuer = false; it works fine. The registered app is meant to be isolated to a single AAD tenant.

Expected behavior

The access token's issuer should be: https://login.microsoftonline.com/{tenantId}/v2.0

Minimal reproduction of the problem with instructions

When I use MSAL.js to acquire token via:

msal = new msal.UserAgentApplication(
      '{clientId}',
      'https://login.microsoftonline.com/{tenantId}',
      () => {},
      {
        redirectUri: 'http://localhost:3001/',
        storeAuthStateInCookie: true,
        cacheLocation: 'sessionStorage'
      }
    );

msal.acquireTokenSilent(['api://{cliend-id}/my-scope']).then(
      (accessToken) => {
        console.log(accessToken);
        return accessToken;
      },
      () => {
        // Open a redirect page in case the token is bad
       ...
      }
    );

The returned access token is:

{
  "aud": "api://{clientId}",
  "iss": "https://sts.windows.net/{tenantId}/",
  ...
  "ver": "1.0"
}

When I use the accessToken to hit my ASP.NET Core Web API, I get a response with error="invalid_token", error_description="The issuer is invalid".

When I configure the API to skip checking the issuer, the API calls works fine.

30 Answers

✔️Accepted Answer

I believe this is a configuration issue in the Azure AD App Registration. There is a field called accessTokenAcceptedVersion then when left null defaults to v1.0. It must be changed to 2 so that tokens are generated in the v2.0 format.

Other Answers:

@mpalumbo7 Thank you for this hint.
I've updated Azure App manifest file with the "accessTokenAcceptedVersion": 2, and it started to generate correct token.

The most strange thing is getting v1.0 token if I'm asking for token from the https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint...