I am new to the Azure ecosystem and I am a bit lost.
I use Azure AD B2C to secure multiple Spring Boot applications but I have a strange behavior, it seems like a token is tied to a specific application, which is not really convenient, because that means we have to manage multiple tokens, one per application. On each application I have this configuration:
azure:
activedirectory:
b2c:
base-uri: https://<tenant>.b2clogin.com/
tenant-id: <tenant-id>
client-id: <client-id>
user-flows:
sign-up-or-sign-in: B2C_1_signin_signup
Example, I have a user UserA which wants to consume ApplicationA, ApplicationC and ApplicationD. UserA relies on ApplicationB(front end app) to ask a token using the grant_type=password
.
When I use the granted access token I can only consume one application. If I try to use the same token in another application I have a HTTP 401
with this message in application logs:
The aud claim is not valid
The issue is, when we ask a token we can only specify one scope
, the scope value should contain the application that should consume the token.
My question is: how can we use one token for multiple resource servers? How can I configure Azure AD B2C to add all applications in the aud
claim so that the token is recognized by the resource server?
Thank you
CodePudding user response:
The requested scope determines which API the access token can be used at. The access token aud claim will be set to the client id of the respective scope.
You can use the refresh token you acquired in the first authentication to request an access token for a different scope.
The subsequent scope you request as part of a refresh token call, must be granted as a permission under the first application (app registration) that you authenticated to. It doesn’t matter which scope was requested in the initial authentication at this point.