diff --git a/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj b/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj
index eb48a251..66ca3248 100644
--- a/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj
+++ b/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj
@@ -34,7 +34,7 @@
-
+
@@ -53,9 +53,9 @@
-
-
-
+
+
+
diff --git a/Microsoft.Identity.Web/TokenAcquisition.cs b/Microsoft.Identity.Web/TokenAcquisition.cs
index 9455cb0e..454e8260 100644
--- a/Microsoft.Identity.Web/TokenAcquisition.cs
+++ b/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -264,6 +264,9 @@ private IConfidentialClientApplication BuildConfidentialClientApplication()
request.PathBase,
azureAdOptions.CallbackPath ?? string.Empty);
+ if (!applicationOptions.Instance.EndsWith("/"))
+ applicationOptions.Instance += "/";
+
string authority = $"{applicationOptions.Instance}{applicationOptions.TenantId}/";
var app = ConfidentialClientApplicationBuilder
diff --git a/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs b/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs
index 3bf10433..3fa38b82 100644
--- a/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs
+++ b/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs
@@ -53,13 +53,17 @@ public static IServiceCollection AddProtectedWebApi(
configuration.Bind(configSectionName, options);
// This is an Microsoft identity platform Web API
- options.Authority += "/v2.0";
+ var authority = options.Authority.Trim().TrimEnd('/');
+ if (!authority.EndsWith("v2.0"))
+ authority += "/v2.0";
+ options.Authority = authority;
- // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
- options.TokenValidationParameters.ValidAudiences = new string[]
- {
- options.Audience, $"api://{options.Audience}"
- };
+ // The valid audience could be given as Client Id or as Uri. If it does not start with 'api://', this variant is added to the list of valid audiences.
+ var validAudiences = new List { options.Audience };
+ if (!options.Audience.StartsWith("api://", StringComparison.OrdinalIgnoreCase))
+ validAudiences.Add($"api://{options.Audience}");
+
+ options.TokenValidationParameters.ValidAudiences = validAudiences;
// Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
// we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
@@ -127,4 +131,4 @@ public static IServiceCollection AddProtectedApiCallsWebApis(
return services;
}
}
-}
\ No newline at end of file
+}