OIDC Token Exchange Flow with Azure as upstream idp

[aengelh]

Hi there. I want to implement the token exchange flow with Dex. I want to exchange an Azure token for a Dex token.

In Azure I have an app-registration with an api endpoint 'api://<client_id>'. I have configured the app registration to deliver OAuth 2.0 tokens.

When I do a curl like this, I get a token from Azure:
curl -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token -d client_id=<client_id> -d client_secret=<client_secret> -d grant_type=client_credentials -d scope="api://<client_id>/.default"

The fields aud (audience) and azp (authorized party) both contain the aforementioned client_id.

My Dex configuration contains the following connector:
`connectors:

• name: azure-entra-id
  type: oidc
  id: azure-entra-id
  config:
  issuer: https://login.microsoftonline.com/<tenant_id>/v2.0
  scopes:
  - openid
  - profile
  - groups
  - federated:id
  userNameKey: sub
  claimMappings:
  groups: roles
  getUserInfo: true`

Now when I want to perform the exchange via curl:
curl -u <id_staticClient>:<secret_staticClient> -X POST http://localhost:5556/dex/token -d grant_type=urn:ietf:params:oauth:grant-type:token-exchange -d subject_token="$TOKEN" -d subject_token_type=urn:ietf:params:oauth:token-type:access_token -d requested_token_type=urn:ietf:params:oauth:token-type:access_token -d connector_id="azure-entra-id"

I get the following error: {"error":"access_denied"}

And when I take a look into the Dex logs:
time="2025-XX-XXTXX:XX:XXZ" level=error msg="failed to verify subject token: oidc: error loading userinfo: 401 Unauthorized: {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2025-06-18T12:43:51","request-id":"<request_id>","client-request-id":"<client_request_id>"}}}"

Now my questions are:

• how do I have to configure my app registration in Azure and how do I have to retrieve a token so that the exchange via Dex will work? (as far as I know, the error message comes from Azure, not being able to validate the token that I obtained from Azure before)
• do I have to change something in my Dex configuration for this to work?
• am I doing anything wrong in my http requests via curl?

I did a lot of things on the Azure side trying to influence the token that I get, but without success...

Thank you for your help!

[cardoe]

Related to #4002