"JWT token is invalid" when trying to get authorization headers for WAAD graph query RRS feed

  • Question

  • So I'm trying to write an application that uses WAAD for authentication and authorization. The authentication part works OK (regardless of some challenges), but I'm having trouble with the Graph API for authorization.

    I've read a number of tutorials and examples regarding Graph API usage, but given that there are quite a few moving parts involved, odds are that I got something wrong. Nevertheless, when I try to request a token with AuthenticationContext.AcquireToken, I end up with the following error message:

    AAL 0x80100018: Token request from ACS failed. Check ServiceErrorMessage property for service message

    And the inner exception message says this:

    ACS50027: JWT token is invalid. 
    Trace ID: 4de99def-7478-4f88-96ef-e949a1a6c8fe
    Timestamp: 2012-11-20 06:50:45Z

    Now, it's nearly impossible to make anything from that error message. But it does occur to me that the WAAD tenant and ACS tenant don't know anything about each other, unless there's some implicit link between the two. None of the tutorials or examples I've read seem to say anything about configuring them, though, so I'm a bit at loss here.

    Tuesday, November 20, 2012 6:58 AM


  • Never mind. After distancing myself from this problem for a while, I realized that I don't want to involve ACS here at all -- what I want to do is create the Symmetric Key using the MSOL commandlets (New-MsolServicePrincipalCredential ). That, or set up WAAD as an Identity Provider in ACS and configure my app to only talk to ACS. But the first option is preferable here. :) 
    Tuesday, November 20, 2012 1:37 PM