-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] "The issuer '(null)' is invalid" error when I request my API with bearer token #1167
Comments
I think that this is a Microsoft.Identity.Web issue (in the issuer validation) ###Analysis Line 76 in b93c676
Metadata: Possible fix:Union m => m.Aliases with Possible work aroundI have not tested. maybe have ValidIssuer set to https://sts.chinacloudapi.cn/{tenantid}/ in the appsettings.json? @Gtyrande : how urgent is this for you? |
@Gtyrande can you try with |
@jmprieur - the aliases are not in the OIDC metadata, they are in the instance metadata document https://login.microsoftonline.com/common/discovery/instance?authorization_endpoint=https://login.chinacloudapi.cn/common/oauth2/v2.0/authorize&api-version=1.1 The |
I tried I never use |
I tried I'm just to write a demo for our vendor to explain the process of Azure AD. Their tech-stack is Maven/Java, so it's not an urgent problem if msal.java is good. I will tell them to try msal.java. If it's not work, they can customize a validator in middleware. |
@Gtyrande - this seems to be an actual server bug. The token is marked as having been issued by As a possible workaround, you can try to set the authority as |
|
Fixed in 1.13 release. |
@jennyf19 Sorry for late reply and thank you for new release. As I tested this error never shows again. But I got a 404 response and I can’t tell where the problem is. Could you help me about this? My Vue App code:
My .NET API code:
|
|
|
Thanks @Gtyrande: yes. this is the right property. This means the web API is a v1.0 API. Looking at the open id configuration: |
Since version 1.13, I get the above error (""The issuer '(null)' is invalid") when validating an access token in my API (ASP.NET 5.0). With version 1.12 all works fine. Token is obtained using msal.js for angular v 2.0.0 (it sends a request to https://login.microsoftonline.com/organizations/oauth2/v2.0/token). Again, with Microsoft.Identity.Web 1.12.0, the token is validated just fine; in 1.13.0 I get an error about invalid issuer. As you can see in the below screenshot, the 'iss' claim is not null though, it is appSettings.json:
startup.cs code (completely boilerplate): |
I have the same issue as @Gtyrande and @jlpstolwijk with 1.14.0, which I just installed. With 1.12.0, everything works as expected. On the client side, I am using both Postman v8.7.0 and MSAL for Angular:
On the server side, I am using ASP.NET Core 5.0 with the following configuration: appsettings.json
Startup.ConfigureServices(IServiceCollection services) services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("Graph"))
.AddInMemoryTokenCaches();
services.AddAuthorization(options =>
{
options.AddPolicy("MinimumScope", policy => policy.RequireClaim("scp", "access_as_user"));
}); Startup.Configure(IApplicationBuilder app, IWebHostEnvironment env) public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSerilogRequestLogging();
app.UseHttpsRedirection();
app.UseRouting();
// The UseCors call must be placed between UseRouting and UseAuthentication.
// See https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-5.0#middleware-order.
app.UseCors(CorsPolicyName);
app.UseAuthentication();
app.UseAuthorization();
// Custom middleware must be placed between UseAuthorization and UseEndpoints.
app.UseRoleBasedAccessControl();
app.UseJsonApi();
app.UseEndpoints(endpoints =>
{
// Require callers to be authenticated and have the minimum scope claim.
endpoints.MapControllers().RequireAuthorization("MinimumScope");
});
} With I've successfully decoded and validated the tokens using both jwt.ms and jwt.io:
As you see, the |
Adding some keywords which would have saved me hours of research and debugging:
|
I use
It works properly. My app is multitenant. |
Which Version of MSAL are you using ?
msal.net 1.9.0
Platform
asp.net core 5.0
What authentication flow has the issue?
Other? - please describe;
Is this a new or existing app?
This is a new app or experiment
Repro
I have added following lines of code.
Expected behavior
I checked my token on jwt.ms, it shows everything is good.
Actual behavior
I use Postman to request the API, and the API tells me issuer is null in my token.
The text was updated successfully, but these errors were encountered: