From d6ed62b54eb7f25747e7e0f8abf0dfda595b2760 Mon Sep 17 00:00:00 2001
From: Dany Khalife <dev@dkhalife.com>
Date: Fri, 20 Mar 2026 21:12:33 -0700
Subject: [PATCH] accept both client id and app aud

---
 mcpserver/Program.cs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mcpserver/Program.cs b/mcpserver/Program.cs
index 6b0ac32..27df8cc 100644
--- a/mcpserver/Program.cs
+++ b/mcpserver/Program.cs
@@ -8,6 +8,7 @@
 
 var tenantId = Environment.GetEnvironmentVariable("TW_ENTRA_TENANT_ID") ?? "";
 var audience = Environment.GetEnvironmentVariable("TW_ENTRA_AUDIENCE") ?? "";
+var clientId = Environment.GetEnvironmentVariable("TW_ENTRA_CLIENT_ID") ?? "";
 var mcpResource = Environment.GetEnvironmentVariable("TW_MCP_RESOURCE") ?? "";
 
 if (string.IsNullOrWhiteSpace(tenantId))
@@ -16,6 +17,9 @@
 if (string.IsNullOrWhiteSpace(audience))
     throw new InvalidOperationException("TW_ENTRA_AUDIENCE must be set to a valid Entra audience.");
 
+if (string.IsNullOrWhiteSpace(clientId))
+    throw new InvalidOperationException("TW_ENTRA_CLIENT_ID must be set to the Entra app registration's client ID.");
+
 if (string.IsNullOrWhiteSpace(mcpResource))
     throw new InvalidOperationException("TW_MCP_RESOURCE must be set to the canonical URL of this MCP server (e.g. https://mcp.example.com).");
 
@@ -46,7 +50,7 @@
         ValidateAudience = true,
         ValidateLifetime = true,
         ValidateIssuerSigningKey = true,
-        ValidAudience = audience,
+        ValidAudiences = new[] { audience, clientId },
         ValidIssuer = authority,
     };
 })