Home > Blockchain >  Can I get a v2 (MSAL) token for both management.azure.com and vault.azure.net audiences?
Can I get a v2 (MSAL) token for both management.azure.com and vault.azure.net audiences?

Time:09-22

The goal is to have an application, running on the user's computer authenticated as either themselves or a service principal, that can perform Azure resource management operations and Key Vault secret (data plane) operations.

So far, the resource operations are working fine with the management.azure.com audience, but the Key Vault data operations naturally fail with an error

Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com

I've pored over the docs but it's not entirely clear to me if it's possible to have a single token for both audiences? Here, e.g., it suggests you can simply request multiple scopes, but other sources seem to say they must be for the same resource?

Several of MSAL's token acquisition methods require a scopes parameter. The scopes parameter is a list of strings that declare the desired permissions and the resources requested.

A single token would vastly simplify the application, similar to how ADAL used to work.

CodePudding user response:

I tried to reproduce in my environment and got below results:

Invalid audience. Expected https://vault.azure.net , found: https://management.azure.com

The above error refers that audience of your token to call Azure Keyvault REST API you need to call the audience with https://vault.azure.net

I tried with postman to get token in my environment, ensure you have Registered AD application and keyvault with right process.

Before that check your Azure Keyvault policy and secrets to ensure that no Authorized application is chosen, and use a service principle rather than an application to access the secret.

enter image description here

When I tried with scope https://management.azure.com in postman and got access token.

enter image description here

Then I copied the token to call the REST API to set secret.I got similar error.

enter image description here

When I tried with scope https://vault.azure.net I got an output sucessfully.

enter image description here

Then I copied the token and called API & set secret, it will work fine.

enter image description here

When I decoded token i'm getting aud with jwt.ms

enter image description here

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

CodePudding user response:

You cannot acquire one token for multiple audiences in AAD. This is not supported for token acquisition and also not by the actual services. This is not a MSAL limitation, ADAL cannot do this either. ADAL might request/store multiple tokens internally. You need to manage multiple tokens in this case.

Everything documented by Venkatesan is correct, just giving it a bit more context as an explanation.

See also https://github.com/MicrosoftDocs/azure-docs/issues/82875

  • Related