[Azure AD Mobile Plugin] Error on validating token

Forge Component
(7)
Published on 2019-01-16 by Pedro Costa
7 votes
Published on 2019-01-16 by Pedro Costa

Hello,

I tried to use this plugin and couldn't use properly.
Does anyone help me?

All steps I did are as following comments.

1. I registered my application to Azure Portal.
Redirect URL was set as below.

2. "Access directory as the signed user" was added to Microsoft Graph in API permissions.

3. Site property Client_IdentityProvider of ADALPlugin module was set with "https://login.microsoftonline.com/takasimoriyan.onmicrosoft.com/"


The value of I used above was made of my domain. I referred following Microsoft's page.
https://docs.microsoft.com/azure/active-directory-b2c/tutorial-add-identity-providers#add-the-identity-providers

4. I created a test mobile app and placed a button with following action.


The ClientId value I entered was from my azure portal.

5. The test app was built for developing and installed onto my iOS device. Then I tried to perform ADALLogin and got an error.


The error log in Service Center said as follows.

Validate Token and User error: IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.

It seems that the error was occurred on validating token.
But I couldn't figure out a way to correct the problem.

I would appreciate your helping me.

Best regards,
Moriya Takasi

Solution

I figured out the cause.
I had to set Client_IdentityProvider site property with "https://sts.windows.net/<my-tenant-id>/."

My tenant id was shown in azure portal.


I found the solution from the comment.
https://www.outsystems.com/forums/discussion/45254/adal-issue-microsoft-is-not-defined/#Post175351

Thanks.

Solution

Hi Takasi Moriya

i have followed your post, but still without have lgoin with success :(


Any tip?

Hello Pedro,

Do you use ver.1 endpoint as the Authority URL you specified to the first argument of ADALLogin action?
This plugin currently supports only v1 endpoint only.

See the comment on the link below.
https://www.outsystems.com/forums/discussion/52304/microsoft-graph-instead-of-azure-ad-graph/#Post196131

Hi Takasi Moriya,

thank you for your reply.


But how can i use the ver.1 endpoint? if azure ad graph use Ver.2, if i understand reading on the other post.

What was your Authority URI ?

Thank you and sorry for those questions

Best Regards,

PVN

Takasi Moriya wrote:

5. The test app was built for developing and installed onto my iOS device. Then I tried to perform ADALLogin and got an error.


The error log in Service Center said as follows.

Validate Token and User error: IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.

Hi again, 

have the same error:


Validate Token and User error: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
Exceptions caught:
 '[PII is hidden]'.
token: '[PII is hidden]'.

I am using following URIs.

Have you added required permissions on Azure Portal?
"Access directory as the signed user" have to be added to Microsoft Graph in API permissions on Azure Portal.

Takasi Moriya wrote:

I am using following URIs.

Have you added required permissions on Azure Portal?
"Access directory as the signed user" have to be added to Microsoft Graph in API permissions on Azure Portal.

Hi sorry for late reply, was christmas time :)

Takasi, i'm using : https://graph.microsoft.com

As you have seen in the following URL, the current version of Azure AD Mobile Plugin (2.1 O11) require Azure AD Graph endpoint (https://graph.windows.net) as a resource uri. Microsoft Graph endpoint (https://graph.microsoft.com) is probably not supported.
When I use Microsoft Graph endpoint, I meet same validation error.

https://www.outsystems.com/forums/discussion/52304/microsoft-graph-instead-of-azure-ad-graph/



Has anyone been experiencing authentication prompts on their mobile devices multiple times a day? We've been experiencing this on our mobile devices (both Android and iOS) for about a week.

We seem to get an authentication banner, push it, aren't prompted for a password or MFA and Outlook and Teams return to normal operation. I'd say every 5-7 times I have to "Approve" the MFA push.


We use Microsoft's MFA for Office 365, Outlook and Teams on our mobile devices.