Web Api to Signalr Azure token not working

1
votes

I have a Asp.Net Web Api (Api1) that needs to send a message to a Signalr Realtime Api (Api2). I am trying to use Azure AD bearer tokens to authenticate. The client for Api1 is a JavaScript client that uses ADAL.js to get a token from Azure. 

    var authContext = new AuthenticationContext({    
            tenant: tenantId,
            clientId: jsclientId,
            postLogoutRedirectUri: window.location.origin,
            cacheLocation: 'localStorage',
            endpoints: {
                api1Url: api1ResourceUri
            }
    });

    authContext.acquireToken(jsclientId, function (error, token) {
        if (error || !token) {
            authContext.clearCache();
            authContext.login();
        } 
    });

The JS client attaches this token in the Authorization header to all Api calls to Api1. In Api1 I am using the following code to get an access token from Azure AD.

var userAssertion = new UserAssertion(bootstrapContext.Token, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);

var result = await authenticationContext.AcquireTokenAsync(api2ResourceId,  new ClientCredential(api1clientId, api1clientSecret), userAssertion);

I am attaching this access token to the request as an authorization header "Bearer tokenvalue". In the Signalr Hub Owin Startup class I have the following code.

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
    TokenValidationParameters = new TokenValidationParameters
    {
            ValidAudiences = api1Audiences,
            SaveSigninToken = true
    },
    Tenant = configSection.TenantId
});

While the ClaimsIdentity on the hub is showing as authenticated, the user's identity is not being set. identity.name is null. It looks like the users identity is not being passed on to the Signalr hub.

1
signalrasp.net-web-api2owinazure-active-directory

1 Answers

2
votes

You're getting no User Identity in your API because you are authenticating to it as an application, not as a user.

The acquireTokenAsync overload that only takes in resource and ClientCredentials is for the Client Credentials flow (a.k.a App-only flow).

What you need to do is to use the On-behalf-of flow to swap the token you got for API1 for a token for API2.

So in API1's Startup.Auth, TokenValidation parameters, set Save SigninToken to true like so:

app.UseOpenIdConnectAuthentication(
  OpenIdConnectAuthenticationOptions
  {
      // ...
      TokenValidationParameters = new TokenValidationParameters
      {
        SaveSigninToken = true
      },
      // ...
  });

And then wherever you want to call your API2, do as follows:

ClientCredential clientCred = new ClientCredential(clientId, appKey);
var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as System.IdentityModel.Tokens.BootstrapContext;
string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
string userAccessToken = bootstrapContext.Token;
UserAssertion userAssertion = new UserAssertion(bootstrapContext.Token, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);

result = await authContext.AcquireTokenAsync(api2ResourceId, clientCred, userAssertion);

See it in the sample: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof, specificaly the ToDoService's Startup.Auth.cs and TodoListController.cs.

NOTE: This sample is for native app + web api, you're adapting it for web app + web api.

Edit - Make sure your JS code is requesting a token for your API1 by specifying API1 in the JS acquireToken call like so:

var authContext = new AuthenticationContext({    
        tenant: tenantId,
        clientId: jsclientId,
        postLogoutRedirectUri: window.location.origin,
        cacheLocation: 'localStorage',
        endpoints: {
            api1Url: api1ResourceUri
        }
});

authContext.acquireToken(api1clientId, function (error, token) {
    if (error || !token) {
        authContext.clearCache();
        authContext.login();
    } 
});