The audience is invalid error

See here for what this claim is about:

The aud (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the aud claim when this claim is present, then the JWT MUST be rejected....

So your API's name must exist in the aud claim for the JWT to be valid when it is validated by the middleware in your API. You can use jwt.io to look at your token by the way, that can be useful to help make sense of it.

In order to have IdentityServer to add your API's name to the aud claim your client code (which is attempting to get a resource from the API and therefore needs an access token) should request a scope from your API. For example like this (from an MVC client):

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    Authority = Configuration["IdpAuthorityAddress"],
    ClientId = "my_web_ui_id",
    Scope = { "api1" },

    //other properties removed...
});

In your app configuration file in AD configuration section add "Audience" line:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "ClientId": "<-- Enter the Client Id -->",
  "Audience": "<-- Enter the Client Id -->",
  "TenantId": "<-- Enter the tenantId here -->"
}

In my case "ClientId" & "Audience" was the same.

P.S.: And if after that you'll see

IDW10201: Neither scope or roles claim was found in the bearer token

Add another line to AD configuration:

"AllowWebApiToBeAuthorizedByACL": true

More here


To avoid the error, audience should be consistently added in 4 places

  1. In My (e.g. MVC) client as custom Scope.
  2. In API application as ApiName
  3. In IdentityServer Clients configuration as AllowedScope
  4. In API Resources configuration as ApiResource

See details ( previously available in IdentityServer4 wiki):

When configuring a new API connection in identityServer4, you can get an error:

WWW-Authenticate: Bearer error="invalid_token", 
error_description="The audience is invalid"

To avoid the error, Audience should be consistently added in 4 places

  1. In My (e.g. MVC) client as custom Scope :
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
  Authority = Configuration["IdpAuthorityAddress"],
  ClientId = "my_web_ui_id",
  Scope = { "openid", "profile", "offline_access", "MyApi" },               

//other properties removed for brevity...
});
  1. In API application as ApiName
//Microsoft.AspNetCore.Builder.IdentityServerAuthenticationOptions
var identityServerAuthenticationOptions = new IdentityServerAuthenticationOptions()
{
  Authority = Configuration["Authentication:IdentityServer:Authority"],
  RequireHttpsMetadata = false,
  EnableCaching = false,
  ApiName = "MyApi",
  ApiSecret = "MyApiSecret"
};
  1. In IdentityServer \IdentityServerHost\Configuration\Clients.cs (or corresponding Clients entry in the database)
var client = new Client
{
  ClientId = clientId,  
  //other properties removed for brevity...   
  AllowedScopes =
  {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    //IdentityServerConstants.StandardScopes.Email,
    IdentityServerConstants.StandardScopes.OfflineAccess, "MyApi",
  },
};
  1. In IdentityServer \IdentityServerHost\Configuration\Resources.cs (or corresponding ApiResource entry in the database) as apiResource.Scopes
var apiResource = new ApiResource
{
  Name = "MyApi",
  ApiSecrets =
  { 
    new Secret("MyApiSecret".Sha256())
  },
  UserClaims =
  {
    JwtClaimTypes.Name,
    JwtClaimTypes.Profile,
  },
};