Adventures with Azure: Doh! Built-in App Service Identity Provider Not Working!

App Services

In adding the built-in Authentication support to an Azure App Services, I ran into a challenge where I kept getting a 401 Status Code whenever I called an API endpoint.

The first thing after setting up Azure Active Directory as my Identity Provider, I used Postman to call the oauth2 token endpoint to get a token that I could then pass as a Bearer token to my API endpoint.

Every time I called my API endpoint I would receive the following error:

{
    "code": 401,
    "message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."
}

For the life of me I could not figure out what the issue was. I could not find anything in the logs, other than an error message with a property CallerResult and a value of CallerError.

Extremely helpful!

After about an hour of trying to figure this out, I took a step back.

In the past when I encountered issues like this, if I was confident my token was good, meaning correct client_id and client_secret, then it usually had to do with the issuer.

So I decode my token to see what was showing as the issuer.

I then compared that to what the built-in Identity Provider had setup.

I soon discovered the issuers were different! No wonder!

How to fix it?

After digging around, I learned I needed to update the manifest of my app registration to support an oath2 token.

To do this you need to edit the manifest in your app registration and change the value of the property accessTokenAcceptedVersion from null to 2.

Save the changes.

Now when I get a Bearer token it has the correct issuer.

And that puts an end to my temporary hair loss!

Leave a Reply

Your email address will not be published.