Azure active directory - Allowed token audiences
I've been stumbling around the documentation, too. Here's what I've gotten to work with an Angular Front-end app that consumes a back-end API app.
In the front-end app, the user clicks a link and authenticates with Azure Directory. The token is kept in session in the browser.
Next, the user wants to interact with the API app.
Here's how:
- Go to the API App's App Service in Azure.
- Navigate to Authentication/Authorization
- Turn "ON" App Service Authentication
- Under Authentication Providers Select "Azure Active Directory"
- Choose "Advanced" button
- In the Client ID field insert the "Application ID" from your API App's Azure Active Directory App Registration. You should have registered the API app in Azure Active Directory, already.
- In the "Allowed Token Audiences" field insert the "Application ID" from your front-end app's Azure Active Directory App Registration. You should have registered the front-end app in Azure Active Directory, already.
Security is so important. It blows my mind how confusing the documentation is around this stuff. Owin/Katana looks like it's on the way out. Based on this configuration, you wont need any of it. The other sign that Owin is a goner is the massive breaking change related to Microsoft/System IdentityModel that seems impossible build, discern, fix, yada yada. I wish Microsoft would create an "endpoint" that would show what's out and what's in. and how to do this particular step. If you can get your apps to do this, it's real clean.
Fast forward to 2020, and there is now some explanation on this parameter. (added in 2019)
Allowed Token Audiences
If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. The configured Client ID is always implicitly considered to be an allowed audience.
In my experience, the value of this field (or one of the values) has to match what is in the "audience" field of the token that is being sent to your service (juunas said as much as a comment on the question above). bwmartens suggestion above to use the app id URI sounds like it would work but the current version of the AAD registration blade in the Azure portal does not list an "App ID URI" value nor does there appear to be a "Settings -> Properties" anymore (the site keeps changing).
In my case, just putting the application ID did not work. I have found that the two most straightforward ways to find the value needed here are:
- Go to the AAD registration for your service and look in the manifest at the "identifierUris" field. In my experience, the value here should match the value that you put in the Allowed Token Audiences list.
- Get a JWT that you are sending to your service and decode it (e.g. using http://jwt.calebb.net/) and look at the value of the "aud" field. Put that in the Allowed Token Audiences list.