Extending the scope of the sample:

- Accepting both the ClientId or the App ID URI of the service as audiences
- Accepting both Azure AD V1 and Azure AD V2 issuers as issuers for the token (See #
- for this adding an ida:ClientId setting in the Web.Config
- Updating the readme accordinly
- updating the app.json / Configure.ps1 script accordinly.

Author: jmprieur

AppCreationScripts/Configure.ps1

@@ -198,6 +198,7 @@ Function ConfigureApplications
    Write-Host "Updating the sample code ($configFile)"
    ReplaceSetting -configFilePath $configFile -key "ida:Tenant" -newValue $tenantName
    ReplaceSetting -configFilePath $configFile -key "ida:Audience" -newValue $serviceAadApplication.IdentifierUris
+   ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue $serviceAadApplication.AppId
 
    # Update config file for 'client'
    $configFile = $pwd.Path + "\..\TodoListClient\App.Config"

AppCreationScripts/apps.json

@@ -41,6 +41,10 @@
         {
           "key": "ida:Audience",
           "value": "service.IdentifierUris"
+        },
+        {
+          "key": "ida:ClientId",
+          "value": "service.AppId"
         }
       ]
     },

README.md

@@ -7,10 +7,10 @@ client: .NET Framework 4.5 WPF
 service: .NET Framework 4.5 Web Api
 endpoint: AAD V1
 ---
-![Build badge](https://identitydivision.visualstudio.com/_apis/public/build/definitions/a7934fdd-dcde-4492-a406-7fad6ac00e17/18/badge)
-
 # Manually validating a JWT access token in a web API
 
+![Build badge](https://identitydivision.visualstudio.com/_apis/public/build/definitions/a7934fdd-dcde-4492-a406-7fad6ac00e17/18/badge)
+
 ## About this sample
 
 This sample demonstrates how to manually process a JWT access token in a web API using the JSON Web Token Handler For the Microsoft .Net Framework 4.5.  This sample is equivalent to the [NativeClient-DotNet](https://github.com/Azure-Samples/active-directory-dotnet-native-desktop) sample, except that, in the ``TodoListService``, instead of using OWIN middleware to process the token, the token is processed manually in application code.  The client, which demonstrates how to acquire a token for this protected API, is unchanged from the [NativeClient-DotNet](https://github.com/Azure-Samples/active-directory-dotnet-native-desktop) sample.
@@ -96,12 +96,13 @@ here are two projects in this sample. Each needs to be separately registered in
 2. Open the `web.config` file.
 3. Find the app key `ida:Tenant` and replace the value with your AAD tenant name.
 4. Find the app key `ida:Audience` and replace the value with the App ID URI you registered earlier, for example `https://<your_tenant_name>/TodoListService-ManualJwt`.
+5. Find the app key `ida:ClientId` and replace the value with the **Application ID** (also named Clientid) you copied earlier to the clipboard for this service application.
 
 #### Configure the TodoListClient project
 
 1. Open `app.config`.
 2. Find the app key `ida:Tenant` and replace the value with your AAD tenant name.
-3. Find the app key `ida:ClientId` and replace the value with the Client ID for the TodoListClient from the Azure portal.
+3. Find the app key `ida:ClientId` and replace the value with the Application ID (also named) Client ID for the TodoListClient from the Azure portal.
 4. Find the app key `ida:RedirectUri` and replace the value with the Redirect URI for the TodoListClient from the Azure portal, for example `https://TodoListClient`.
 5. Find the app key `todo:TodoListResourceId` and replace the value with the App ID URI of the TodoListService-ManualJwt project, for example `https://<your_tenant_name>/TodoListService-ManualJwt`
 6. Find the app key `todo:TodoListBaseAddress` and replace the value with the base address of the TodoListService-ManualJwt project, for example `https://localhost:44324`.

TodoListService-ManualJwt/Global.asax.cs

@@ -66,6 +66,7 @@ internal class TokenValidationHandler : DelegatingHandler
         static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
         static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
         static string audience = ConfigurationManager.AppSettings["ida:Audience"];
+        static string audience = ConfigurationManager.AppSettings["ida:AppId"];
         string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
 
         static string _issuer = string.Empty;
@@ -124,8 +125,11 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
             TokenValidationParameters validationParameters = new TokenValidationParameters
             {
-                ValidAudience = audience,
-                ValidIssuer = issuer,
+                // We accept both the App Id URI and the AppId of this service application
+                ValidAudiences = new[] { audience, appId },
+
+                // Supports both the Azure AD V1 and V2 endpoint
+                ValidIssuers = new [] { issuer, $"{issuer}/v2.0" },
                 IssuerSigningTokens = signingTokens,
                 CertificateValidator = X509CertificateValidator.None // Certificate validation does not make sense since AAD's metadata document is signed with a self-signed certificate.
             };

TodoListService-ManualJwt/Web.config

@@ -9,6 +9,7 @@
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
+    <add key="ida:ClientId" value="[Enter the Application Id (also named ClientId) for the application]" />
     <add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
     <add key="ida:Audience" value="[Enter App ID URI of TodoListService-ManualJwt, e.g. https://skwantoso.com/TodoListService-ManualJwt]" />
     <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />