-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Cannot authenticate with managed identity to multi-tenant web api. #1290
Comments
Thanks @henriblMSFT. We'll investigate. |
@henriblMSFT : what's the accepted token version of your web API? Access token v1.0 ? |
From the app manifest: "accessTokenAcceptedVersion": null, |
Confirmed that updating the accepted token version to v2 solves the issue "accessTokenAcceptedVersion": 2, |
Thanks for the update, @henriblMSFT. We'll investigate shortly. This should work with both token versions. |
seems related to #1310 |
@jlpstolwijk this looks indeed like the same exact issue. When I investigated mine I found that the problem was in AadIssuerValidator When debugging I observed the following:
the claims issuer is IssuerMetadata issuerMetadata =
CreateConfigManager(AadAuthority.Replace("/v2.0", string.Empty,
StringComparison.OrdinalIgnoreCase)).GetConfigurationAsync().ConfigureAwait(false).GetAwaiter().GetResult(); Ultimately it tries to get the AAD configuration from Hope this helps. |
Thanks @henriblMSFT |
Included in 1.14.1 release |
Which version of Microsoft Identity Web are you using?
Microsoft Identity Web 1.14.0
Microsoft.Identity.Web 1.13.1
Does not repro with version 1.12.0
Where is the issue?
Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
I've observed the issue attempting to authenticate with an azure managed service identity. The issue also reproduces when authenticating as a user with the MSAL library.
appsettings.json
Here are the claims for the managed identity (note that all guids have been changed)
Expected behavior
The application should authenticate succesfully.
Actual behavior
The application fails to authenticate because the issuer cannot be validated.
The exception is thrown from AadIssuerValidator on line 132
The text was updated successfully, but these errors were encountered: