validate-token-with-graph-api fails because the audience id of our web api is not the audience id auf Graph API

[landreas91]

validate-azure-ad-token/src/index.ts

Line 87 in ec7dac5

await validateTokenWithGraphApi(accessToken, decodedAccessToken.payload);

This line produces "Access token validation failure. Invalid audience."
For me, this is clear. The audience id in our jwt tokens is the application id of our custom web api.
Graph API declines jwt tokens that are not issued for Graph API.
Why at all validate against graph api?

[landreas91]

Also you don't check if "exp" claim is expired...

[playerony]

Man you are totally right, I wrote this package almost 2 years ago, so I do not remember specific reasons why I did it this way. But now you have your suggestion implemented in version 2.1.0

[landreas91]

Thank you very much! One last thing: As stated in the documentation of the parameter applicationId, only in v1.0 tokens the appid is present.
What if we want to validate v2 tokens?
It is not possible to leave applicationId null or empty.
https://github.com/playerony/validate-azure-ad-token/blob/main/src/index.ts#L64
https://github.com/playerony/validate-azure-ad-token/blob/main/src/core/validate-token-claims.ts#L22

The problem is that we want to secure our custom node.js Web API against several clients, e.g. SharePoint Online SPFx Solution and another custom Web App.
So we have at least two applications that are consuming our web API. Thus, we would have to decide which one should get access.
Either applicationId should be an applicationIds Array or implement v2 token.
That would be awesome.

[coreprocess]

@playerony You obviously used the Graph API to validate the signature of the token. Of course this was not the correct approach, but at least the signature was checked. Now the check is gone and one can easily create tokens manually that get accepted by this library.