aud in JWT token payload is not client id

[mlynch]

Describe the bug

When requesting a token, the aud field is coming back as "https://graph.microsoft.com" instead of the client id.

Smartphone (please complete the following information):

• Device: Pixel 2 API 28 (emulator)
• Android Version: Android 9
• MSAL Version - 2.0.12

To Reproduce

Acquire a token as follows:

    AcquireTokenParameters params = new AcquireTokenParameters.Builder()
      .withScopes(Arrays.asList(scopes))
      .withCallback(callback)
      .startAuthorizationFromActivity(fromActivity)
      .withLoginHint(loginHint)
      .build();

    mMsalClientApplication.acquireToken(params);

When the result.getAccessToken() is returned in the onSuccess of the AuthenticationCallback, the aud field is set to https://graph.microsoft.com even though the result.getAccount().getClaims() aud field is correctly set to the client id.

The aud should be set to the client id according to https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#payload-claims

Expected behavior

aud field in JWT payload is set to client id

Actual Behavior aud field in JWT payload is set to https://graph.microsoft.com/

[mlynch]

Curious if anyone has any ideas why we can't get the aud field to match the client id here. We're really struggling to figure this out.

[mlynch]

It seems like we're getting a token with ver 1.0 rather than 2.0. How can we make sure we get a 2.0 token using this API?

[negoe]

@mlynch Make sure that the "aud" field in your Azure AD application registration matches the client ID you're using in your code. You can find this field in the "Manifest" section of your application registration.

Double-check that the scopes you're requesting in your token acquisition match the permissions you've granted in your Azure AD application registration. If the scopes don't match, you may receive a token with a different audience than you expect.