![\"\"](\"\/wp-content\/uploads\/2019\/08\/obo2.png\")
<\/p>\n
- \n
- A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into Azure AD and request a delegated access token for Web API 1<\/li>\n
- Client application then calls Web API 1 with the issued access token<\/li>\n
- Web API 1 in turn needs to call a downstream Web API 2 so it uses its access token (in step 2 above) to request an access token for Web API 2. What happens in this step is that Web API 1 uses the OBO flow to exchange its access token for another resource’s access token. The exchanged token is still issued on behalf of the original sign in user and it has delegated permission.<\/li>\n
- Web API 1 uses the new access token to call Web API 2<\/li>\n<\/ol>\n
Let’s look at the parameters used in an OBO flow at the V1 endpoint below. I want to call out a few highlighted<\/span> parameters as their significance will become more obvious a little bit later.<\/p>\n
assertion:<\/strong>
\n<\/span>this is the access token issued in step 2 above<\/p>\nclient_id:<\/strong>
\n<\/span>application id of Web API 1<\/p>\nResource:<\/strong>
\n<\/span>this is Application ID URI or Application ID of Web API 2<\/p>\n![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi2.png\")
<\/p>\nLet’s look at an OBO end to end traffic in Fiddler<\/a>:<\/p>\n
Frame 1 \u2013 14 below shows the user navigates to the web site and is redirected to Azure AD to log in. Frame 15 is the request to the token endpoint to get an access token for Web API 1<\/p>\n
Hover over image to enlarge<\/em><\/span><\/p>\n
![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi3.png\")
<\/div>\nIn this example Web API 2 is Microsoft Graph. In frame 19 below Web API 1 uses an OBO flow to request a token for Microsoft Graph. It uses the access token received in frame 15 as the assertion parameter.<\/p>\n
Hover over image to enlarge<\/span><\/em><\/p>\n
![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi4.png\")
<\/div>\nIt is extremely important to use the correct parameter in the OBO flow. Note that the OBO parameters client_id <\/strong><\/span>and the assertion<\/strong><\/span> (access token) are for the calling application (Web API 1) in this token exchange request.<\/p>\n
Common pitfall customers run into when using the OBO flow<\/h1>\n
I have seen a few AADSTS error returned for this flow when either the client_id <\/strong><\/span>or the assertion<\/strong><\/span> parameters used are not for the calling application (Web API 1). Below are a few examples:<\/p>\n
HTTP 400 error: AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was ‘00000002-0000-0000-c000-000000000000’ and the expected audience is \u2026<\/strong><\/span><\/p>\n
Root cause: The access token used in the assertion is for a different application \/ resource instead of for the calling app Web API 1. The GUID in this error is an Azure AD Graph resource.
\n<\/em><\/span><\/p>\nHTTP 400 error: AADSTS50013: Assertion failed signature validation. [Reason – The provided signature value did not match the expected signature value., Thumbprint of key used by client:\u2026<\/strong><\/span><\/p>\n
Root cause: The access token used in the assertion is for Microsoft Graph resource (https:\/\/graph.microsoft.com<\/a>)
\n<\/em><\/span><\/p>\nHTTP 400 error: AADSTS50013: Assertion failed signature validation. [Reason – The key was not found., Thumbprint of key used by client: ‘B25930C…..<\/span><\/strong>
\nRoot cause: Web API 1 is a SAML Application (check the Enterprise Application blade to see if Single sign-on is enabled and there is a SAML signing Certificate attached)<\/span>.<\/em><\/span><\/p>\nHTTP 500 error: AADSTS50000: There was an error issuing a token.<\/strong><\/span><\/p>\n
Root cause: the client id used is either not valid or does not exist in the tenant.
\n<\/em><\/span><\/p>\nHow can I diagnose this issue?<\/h1>\n
- \n
- Take a Fiddler trace<\/a> to see what the parameters used are.<\/li>\n
- \n
Use https:\/\/jwt.ms<\/a> to decode the access token assertion and look at the “aud” (audience) claim to see if it’s for the calling web API 1<\/div>\n![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi5.png\")
<\/li>\n<\/ul>\nWhat if my Web API 2 is SAML Application?<\/h1>\n
If the downstream API App can only consume SAML token (instead of jwt token), you can certainly use the OBO flow to exchange a JWT token for the SAML token using the following parameters (see https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v1-oauth2-on-behalf-of-flow<\/a> for more info). The key is in the parameter requested_token_type<\/strong>. The allowed values are<\/p>\n
urn:ietf:params:oauth:token-type:saml2 <\/strong>\u2013 SAML 2.0 token
\n<\/strong><\/span><\/p>\nurn:ietf:params:oauth:token-type:saml1 <\/strong>\u2013 SAML 1.1 token
\n<\/span><\/p>\nNote:<\/strong>
\nAt the time of this writing, this JWT \u2013 SAML token exchange OBO flow is only available in the V1 endpoint.<\/span><\/span>
\n<\/span><\/p>\n![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi6.png\")
<\/p>\nNote<\/strong>: Azure AD returns the SAML token encoded in UTF8 and Base64URL as noted in the documentation<\/a><\/p>\n
What about Azure AD B2C?<\/h1>\n
- \n
- Take a Fiddler trace<\/a> to see what the parameters used are.<\/li>\n
![\"\"](\"\/wp-content\/uploads\/2019\/08\/080419_0256_Understandi7.png\")
<\/p>\n