[invalid_id_token] An error occurred while attempting to decode the Jwt: The ID Token contains invalid claims

Akanksha Pandey 6

I am adding oauth into an application(Java based) and I'm running into the following error:

I have followed all the steps to setup Azure AD using the offical documentation: https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
I checked the validity of my token using Postman- it's working there.

I'm stuck since 2 days. Anyone please help

Shilpa 1 Reputation point

2022-11-02T18:29:45.117+00:00

Hi , I'm also getting the same error as in the above screenshot. Were you able to resolve this error? Can you please share the solution.

1 answer

Shweta Mathur 27,941 Reputation points Microsoft Employee

2022-06-08T12:26:48.327+00:00

Hi @Akanksha Pandey ,

Thanks for reaching out.

I understand you are looking to authenticate using Spring Boot Starter and getting error in the ID-Token.

As per documentation you mentioned, this is basic lab to introduced spring boot classes and annotations.

The error you are getting is due to invalid audience in the token. The audience of a token is the intended recipient of the token. In this particular documentation we are not calling any graph or protected API, so we are not specifying any scope in the application. Properties.

If you are calling any Graph API or protected API after authenticating the user, then the valid scope needs to add in the application to access the API.

eg scopes: https://graph.microsoft.com/User.Read need to add to access Graph API to read user details.

Could you please confirm if you are passing any scope in your application or while authenticating using postman?

I tried to replicate the given steps as mentioned in document in my lab and able to call message mentioned in controller successfully.

Hope this will help.

Thanks,
Shweta

------------------------

Please remember to "Accept Answer" if answer helped you.
Please sign in to rate this answer.
Akanksha Pandey 6 Reputation points

2022-06-08T12:53:37.567+00:00

Hi Shweta,

Thanks a lot for your response.

I’m passing scope in Azure Active directory under API permissions sections:
“Directory.AccessAsUser.All” and “User. Read”

I’m not getting regarding adding scope in application? Can you please help me understand

Also please help me regarding this authentication with Azure AD. I’m seriously stuck since 2 days and clueless.

Thanks,
Akanksha

Shweta Mathur 27,941 Reputation points Microsoft Employee

2022-06-09T11:14:43.083+00:00

Hi Akanksha,

Could you please confirm the scenario what you are trying to achieve?

You need the appropriate permissions or scope in access token to call Microsoft Graph API and those scopes need to configure in application.yml as

spring: cloud: azure: active-directory: enabled: true profile: tenant-id: <your-tenant-ID> credential: client-id: <your-client-ID> client-secret: <your-client-secret> authorization-clients: graph: scopes: https://graph.microsoft.com/Analytics.Read, email

Please refer the below sample if you are looking to authenticate users to access Microsoft Graph API.

https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/spring-boot-starter-for-azure-active-directory-developer-guide
https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/2-Authorization-I/call-graph

Thanks,
Shweta

Akanksha Pandey 6 Reputation points

2022-06-09T16:19:58.78+00:00

Hi Shweta, thanks again for responding to my question.
In my springboot project, I added the scope in application.properties file as well as in Azure AD: https://graph.microsoft.com/user.read,openid,profile,email

But this is also not working.

Please let me know what else do I need to add/change.

Also, can we take this offline? That would be much faster and really helpful.
Let me know your email id so that I can ping you the whole process.

Shweta Mathur 27,941 Reputation points Microsoft Employee

2022-06-10T07:16:15.143+00:00

Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:shweta" and I will help you offline.

Akanksha Pandey 6 Reputation points

2022-06-10T09:15:42.957+00:00

Thanks Shweta. I have sent you the mail on the above mentioned email address.

Harsh Gehlot 0 Reputation points

2023-12-04T12:02:36.0933333+00:00

Were you able to solve this problem. I'm still facing it.
Can you share the solution.
I have exposed an api with scope name Survey.User.

spring: cloud: azure: active-directory: enabled: true profile: tenant-id: <id> credential: client-id: <client-id> client-secret: <secret> authorization-clients: survey-api: scopes: api://<client-id>/Survey.User
Sign in to comment