[Bug] Cannot authenticate with managed identity to multi-tenant web api.

[henriblMSFT]

Which version of Microsoft Identity Web are you using?
Microsoft Identity Web 1.14.0
Microsoft.Identity.Web 1.13.1
Does not repro with version 1.12.0

Where is the issue?

• Web API
  • Protected web APIs (validating tokens)

Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro
I've observed the issue attempting to authenticate with an azure managed service identity. The issue also reproduces when authenticating as a user with the MSAL library.

services
  .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddMicrosoftIdentityWebApi(config);

appsettings.json

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "ClientId": "84846a08-b110-44f0-92af-a353b2e94d30",
  "TenantId": "organizations"
},

Here are the claims for the managed identity (note that all guids have been changed)

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
  "aud": "api://84846a08-b110-44f0-92af-a353b2e94d30",
  "iss": "https://sts.windows.net/7a797836-d1e3-4249-a68d-f2cb8e4f58a5/",
  "iat": 1624403649,
  "nbf": 1624403649,
  "exp": 1624490349,
  "aio": "E2ZgYOAxb73SVu/30LmxqEVvndJ/AA==",
  "appid": "a6af1a81-a127-4797-90eb-2bfa39d4b61e",
  "appidacr": "2",
  "idp": "https://sts.windows.net/7a797836-d1e3-4249-a68d-f2cb8e4f58a5/",
  "oid": "45f9fc44-a2d0-45f4-b123-144298ea2c4b",
  "rh": "0.ARIA6q7FzcUVtk2wefyt0lBdwjt-PftAYDFHvRw_czfWeosSAAA.",
  "roles": [
    "ReadWrite.All"
  ],
  "sub": "45f9fc44-a2d0-45f4-b123-144298ea2c4b",
  "tid": "7a797836-d1e3-4249-a68d-f2cb8e4f58a5",
  "uti": "ZYyGWeYHskic60aBY_cCAQ",
  "ver": "1.0"
}

Expected behavior
The application should authenticate succesfully.

Actual behavior
The application fails to authenticate because the issuer cannot be validated.

The exception is thrown from AadIssuerValidator on line 132

            throw new SecurityTokenInvalidIssuerException(
                string.Format(
                    CultureInfo.InvariantCulture,
                    IDWebErrorMessage.IssuerDoesNotMatchValidIssuers,
                    actualIssuer));

[henriblMSFT]

@jennyf19, I believe the bug was introduced by pull request #1241

[jmprieur]

Thanks @henriblMSFT. We'll investigate.

[jmprieur]

@henriblMSFT : what's the accepted token version of your web API? Access token v1.0 ?

[henriblMSFT]

From the app manifest:

"accessTokenAcceptedVersion": null,

[henriblMSFT]

Confirmed that updating the accepted token version to v2 solves the issue

"accessTokenAcceptedVersion": 2,

[jmprieur]

Thanks for the update, @henriblMSFT. We'll investigate shortly. This should work with both token versions.

[jlpstolwijk]

seems related to #1310

[henriblMSFT]

@jlpstolwijk this looks indeed like the same exact issue. When I investigated mine I found that the problem was in AadIssuerValidator

When debugging I observed the following:
On Line 77 ValidIssuers is set to:

https://login.microsoftonline.com/{tenantid}/v2.0

the claims issuer is https://sts.windows.net/7a797836-d1e3-4249-a68d-f2cb8e4f58a5/
so the check fails.
Eventually it makes it to line 116 where AadAuthority is set to https://login.microsoftonline.com/organizations/v2.0

    IssuerMetadata issuerMetadata =
        CreateConfigManager(AadAuthority.Replace("/v2.0", string.Empty, 
            StringComparison.OrdinalIgnoreCase)).GetConfigurationAsync().ConfigureAwait(false).GetAwaiter().GetResult();

Ultimately it tries to get the AAD configuration from https://login.microsoftonline.com/organizations/.well-known/openid-configuration
which does not exists. The exception gets swallowed and a SecurityTokenInvalidIssuerException gets thrown, failing the authentication.

Hope this helps.

[jmprieur]

Thanks @henriblMSFT
@jennyf19 just fixed it.

[jennyf19]

Included in 1.14.1 release