@@ -291,7 +291,28 @@ export function parseGraphResponse<T>(
291291
292292## Authentication Flow
293293
294- ### Azure AD Token Validation
294+ ### Azure AD App Registration
295+
296+ This API is called by the ** auditsphere-spfx** web part running in SharePoint Online. Authentication is handled via Azure AD.
297+
298+ ** Azure AD App:** Document Intelligence API
299+
300+ | Setting | Value |
301+ | ---------| -------|
302+ | Client ID | ` eca12ded-8416-41fd-ac0a-ffaccb1ecb04 ` |
303+ | Application ID URI | ` api://eca12ded-8416-41fd-ac0a-ffaccb1ecb04 ` |
304+ | Exposed Scope | ` access_as_user ` |
305+
306+ > ** Important:** The Application ID URI must use the ` api://{client-id} ` format. The API validates tokens against this format in ` src/trpc/init.ts ` .
307+
308+ ### Deployment Branches
309+
310+ | Branch | API URL | Purpose |
311+ | --------| ---------| ---------|
312+ | ` main ` | ` https://auditsphere-api.nubewired.com ` | All features |
313+ | ` access-review ` | ` https://auditsphere-api-access.nubewired.com ` | Access review only |
314+
315+ ### Token Validation
295316
296317```
297318βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
@@ -304,25 +325,43 @@ export function parseGraphResponse<T>(
304325β β Web Part βββββββββββ (tenant) β β
305326β βββββββββββββββ Token βββββββββββββββββββ β
306327β β
328+ β Token claims: β
329+ β - aud: "eca12ded-8416-41fd-ac0a-ffaccb1ecb04" (client ID) β
330+ β - scp: "access_as_user" β
331+ β - preferred_username: "user@tenant.com" β
332+ β β
307333β 2. SPFx sends token to API β
308334β βββββββββββββββ βββββββββββββββββββ β
309335β β SPFx ββββββββββΆβ AuditSphere β β
310336β β Web Part β Bearer β API β β
311337β βββββββββββββββ Token βββββββββββββββββββ β
312338β β
313- β 3. API validates token β
339+ β 3. API validates token (src/trpc/init.ts) β
314340β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
315341β β a. Fetch JWKS from Azure AD β β
316- β β b. Verify JWT signature β β
317- β β c. Check audience (client_id) β β
318- β β d. Check issuer (tenant) β β
319- β β e. Check expiration β β
320- β β f. Extract claims (userId, email, tenant) β β
342+ β β b. Verify JWT signature (RS256) β β
343+ β β c. Check audience β [CLIENT_ID, api://CLIENT_ID] β β
344+ β β d. Check issuer matches tenant β β
345+ β β e. Extract user email β find/create user in database β β
321346β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
322347β β
323348βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
324349```
325350
351+ ### Valid Audiences
352+
353+ The API accepts tokens with either audience format:
354+
355+ ``` typescript
356+ // src/trpc/init.ts
357+ const = [
358+ process .env .MICROSOFT_CLIENT_ID , // eca12ded-8416-41fd-ac0a-ffaccb1ecb04
359+ ` api://${process .env .MICROSOFT_CLIENT_ID } ` , // api://eca12ded-8416-41fd-ac0a-ffaccb1ecb04
360+ ];
361+ ```
362+
363+ SPFx uses ` AadHttpClient.getClient(clientId) ` which results in tokens with the raw client ID as the audience.
364+
326365### Context Creation
327366
328367``` typescript
0 commit comments