I'm developing an iOS app which requires users to authenticate against an Azure AD (not B2C) and then use the JWT token to call a WebAPI.
I'm using the AppAuth library:
OIDAuthorizationService.discoverConfiguration(forDiscoveryURL: url) { configuration, error in
...
}
And then
let request = OIDAuthorizationRequest(configuration: configuration, clientId:<NativeApp AppID>, scopes: [OIDScopeOpenID], redirectURL: redirectURL, responseType: OIDResponseTypeCode, additionalParameters: ["resource": "<WebAPI AppID>"])
OIDAuthState.authState(byPresenting: request, presenting: presentingViewController) { state, error in
...
}
But the problem is, my JWT token's audience claim has the AppID of my client, and not the AppID of the WebAPI, even though I'm passing the resource parameter with the WebAPI AppID.
As a result, my WebAPI is rejecting the JWT token as the audience claim is incorrect.
What do I need to do to have my JWT token's audience claim to be the WebAPI's AppID?
When requesting access to another resource Azure AD returns you an ID token and an access token. I was using the ID token, which always has it's audience claim set to your client. Using the access token (which is also a JWT token) has the correct audience claim for the resource you're requesting access to.