Audience URI validation failed. Audience does not

We want to validate the JWT token acquired using office.js Office.context.mailbox.getUserIdentityTokenAsync((result). We have implemented our own JwtSecurityTokenHandler for us to get the unique ID of the user and add it as claim to the request. So we could authorize the user in all our functions.

But we are not able to authenticate the JWT token. It is throwing the following invalidAudienceURi exception. But when we decoded the token the URI which is used to generate the token is getting generated dynamically with et query string. This et query string is injected dynamically by office.js.

Exception:

Microsoft.Exchange.WebServices.Auth.Validation.InvalidTokenAudienceException was unhandled by user code
  HResult=-2146233088
  Message=Audience URI validation failed. Audience does not match.
  Source=Microsoft.Exchange.WebServices.Auth
  StackTrace:
       at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.ProcessToken(Uri extensionServiceHost, String key) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 220
       at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost, String catchedKey) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 185
       at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 155
       at UatWork.Web.CustomTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\Users\vinay\Source\Workspaces\UatWork-O365\Development\UatWork\src\UatWork.Web\Startup.cs:line 176
       at Microsoft.AspNet.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()

Image: exception and custom handler

Solution 1 Tried: We tried to override ValidateAudience method. But at runtime this method id never getting executed. Solution 2 Tried: We tried to add AudienceValidator as options for the jwttoken handler. Unfortunately this is also not been called.

Can anyone tell me on how to go about from here?

Thanks, Vinay TC

If I understand the problem correctly (and maybe I don't), it sounds like you're saying the payload.aud property is changing each request?

For now, here's what I know of the hostUri used by the validation:

If the provided hostUri does not match the first instance of a <SourceLocation> element as defined in your manifest XML, the token.Validate() call will fail.

The token string in raw form is three base64 encoded objectsseparated by .s.

Header - JSON object string
Payload - JSON object string
Signature - hash of the header and payload sections using X509 cert on the exchange server.

If you do not know what your hostUri should be, inspect the raw token string, decode the Payload section (you may need to pad it out to mod 4 length by appending = chars).

Inspecting the payload JSON object, you will see a property named aud. The value of aud is the Uri you should be using for hostUri.

So, if you can capture the raw token, you could use the following JavaScript to get the required hostUri:

var rawTokenString = "..."; //insert actual raw token string!
var rawPayload = rawTokenString.split('.')[1];
while(rawPayload.length % 4 !=0) {
    rawPayload+='=';
}
var payload = JSON.parse(atob(rawPayload));
console.info(payload.aud);

Hopefully that works...

Inside the Identity Token