TokenValidationException - exchanging user identity token with appid for user id

David Zeidman

This is not my first addin and I have got this to work on a few occasions previously. However in my latest addin I am getting the following exception reported:

TokenValidationException: Blackbaud.Addin.TokenAuthentication.Exceptions.InvalidTokenApplicationException: IDX10214: Audience validation failed. Audiences: '442215d6-66f8-431f-9bdd-3f16ed1c51dc'. Did not match: validationParameters.ValidAudience: 'cc7f93b1-db28-<removed>' or validationParameters.ValidAudiences: 'null'.
at Blackbaud.Addin.TokenAuthentication.UserIdentityToken.ValidateTokenAsync(String token, Guid applicationId)
at Blackbaud.Addin.TokenAuthentication.UserIdentityToken.ParseAsync(String token, Guid applicationId)

This should be a really straight forward operation. In the angular code we get the raw token using:

client.getUserIdentityToken()

Then this is sent through to the server where it is exchanged with the appId using:

UserIdentityToken uit = await UserIdentityToken.ParseAsync(rawToken, applicationId);

However, after that line I get the exception above. I am uncertain what the reference to audiences is and do not recognise the one starting 442215. I recognise my app id starting cc7f.

Anybody have any insight?

Thanks

Daniel Leonard

@David Zeidman
I will continue to take a look but at first glance it appears the application starting with 44221* (D Test App) does belong to you.

David Zeidman

@Daniel Leonard OK, I will take a look too. Does that mean the 44221 is coming from the addin though as when I output the app id that I am using in the code it is showing the cc7f one.

David Zeidman

@Daniel Leonard Yes, you are correct. I have found that app. The addin on that one also points to localhost:4200 but with a different path than the one I was working with. I changed it to localhostXXX:4200 but that still seemed to affect my other tile. I have now removed it and that seems to have done the trick.

I am not sure what is going on or if there are issues when you point different addins to the same location i.e. localhost but that seems to have been the case here.

Daniel Leonard

@David Zeidman
Looking at the logs everything seemed OK on our side. When we validate the raw token, we check that the audience is for the application. In this case, the raw token appears to have been for the other application and failed. You should be able verify what is in JWT by decoding it.

Is there any other information you could provide that might point me in the right directon, if you still feel there is an issue on our side.

David Zeidman

@Daniel Leonard Thanks for taking a look. I am not entirely sure if there are still issues or not. It is working for us now that we removed all the other addins that were pointing to localhost. (These were all test or in development addins so it was never really a problem).

Thanks for your help and I will let you know if we have any problems in the future.