I've spent about four hours doing a shit ton of A-B tests and a lot of Internet searching to figure out why I kept getting a specific error.
The app is a .NET Core 6 WebAssembly, and the app registration is set for "any organization," meaning anyone with a Microsoft ID (work, school, or XBox) can authenticate with the app.
The error began when I added a client certificate. The relevant section appSettings.config file looks like this:
{
"AzureAD": {
"Instance": "https://logon.microsoftonline.com",
"Domain": "ourdomain.onmicrosoft.com",
"ClientId": "our client ID",
"TenantId": "organizations",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath:": "/signout-oidc",
"ClientCapabilities": [ "cp1" ],
"ClientCertificates": [
{
"SourceType": "KeyVault",
"KeyVaultUrl": "https://our-key-vault.vault.azure.net/",
"KeyVaultCertificateName": "our-certificate-name"
}
]
}
}
So far, all good. Except when I tested the code, I got this:
{
"error": {
"code": "Unauthorized",
"message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/tenant1guid/, https://sts.windows.net/tenant2guid, found https://sts.windows.net/tenant3guid"
}
}
Our Key Vault lives in tenant1, and also has access to tenant2, but tenant3 is my login ID from my company's AD tenant.
Let me skip to the end, because I'd like to finish this fix today.
The solution was to go into launchSettings.json and add this:
{
"profiles": {
"App Name": {
"AZURE_TENANT_ID": "tenant1guid"
}
}
}
Boom. Done. And if I ever need this information again, or anyone else does, I hope they find this blog entry.