From 411eaf07e9a369ab8ba64d2e1825b9502b9cb9b7 Mon Sep 17 00:00:00 2001
From: Ryan Bolger <ryan-oss@xyto.cc>
Date: Mon, 26 Aug 2024 23:02:21 -0700
Subject: [PATCH] Azure tweak, cred and cert auth flows use Resource Manager
 resource for token request.

---
 Posh-ACME/Plugins/Azure.ps1 | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/Posh-ACME/Plugins/Azure.ps1 b/Posh-ACME/Plugins/Azure.ps1
index 6c9f2816..ff102cf9 100644
--- a/Posh-ACME/Plugins/Azure.ps1
+++ b/Posh-ACME/Plugins/Azure.ps1
@@ -373,20 +373,16 @@ function ConvertFrom-AccessToken {
     # decode the claims
     $claims = $payload | ConvertFrom-Base64Url | ConvertFrom-Json -EA Stop
 
-    # make sure the audience claim is correct
-    if (-not $claims.aud -or $claims.aud -ne "$($script:AZEnvironment.ResourceManagerUrl)/") {
-        Write-Debug "`$claims.aud = $($claims.aud)"
-        throw "The provided access token has missing or incorrect audience claim. Expected: $($script:AZEnvironment.ResourceManagerUrl)/"
-    }
-
     # make sure the token hasn't expired
     $expires = [DateTimeOffset]::FromUnixTimeSeconds($claims.exp)
+    Write-Debug "Found exp '$($claims.exp)' in decoded access token"
     if ((Get-DateTimeOffsetNow) -gt $expires) {
         throw "The provided access token expired since $($expires.ToString('u'))"
     }
 
     # return an object that contains the 'expires_on' property along with the token
     # which is what we care about from the other normal logon methods
+    Write-Debug "Found tid '$($claims.tid)' in decoded access token"
     return [pscustomobject]@{
         expires_on = $claims.exp
         access_token = $AZAccessToken
@@ -539,7 +535,7 @@ function Connect-AZTenant {
         Write-Verbose "Authenticating with password based credential"
         $clientId = [uri]::EscapeDataString($AZAppUsername)
         $clientSecret = [uri]::EscapeDataString($AZAppPasswordInsecure)
-        $resource = [uri]::EscapeDataString("$($script:AZEnvironment.ManagementUrl)/")
+        $resource = [uri]::EscapeDataString("$($script:AZEnvironment.ResourceManagerUrl)/")
         $authBody = "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret&resource=$resource"
         try {
             $tokResponse = Invoke-RestMethod "$($script:AZEnvironment.ActiveDirectoryUrl)/$($AZTenantId)/oauth2/token" `
@@ -625,7 +621,7 @@ function Connect-AZTenant {
         Write-Verbose "Authenticating with certificate based credential"
         $clientId = [uri]::EscapeDataString($AZAppUsername)
         $assertType = [uri]::EscapeDataString('urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
-        $resource = [uri]::EscapeDataString("$($script:AZEnvironment.ManagementUrl)/")
+        $resource = [uri]::EscapeDataString("$($script:AZEnvironment.ResourceManagerUrl)/")
 
         # build the JWT
         $jwtHead = @{