Azure AD Jwt Bearer token

3
votes

I am attempting to build an application with a SPA UI and a web API that uses Jwt Bearer tokens for access control. I can authenticate the user and send the bearer token to the web request,but when I do so I get the following error

Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature.

I want to the middleware to use the key set found in at

https://login.microsoftonline.com/common/discovery/keys

but I am clearly missing something. Below is the snippet of code in my startup to configure the bearer token. Can someone point out where I am going wrong?

    var clientId = Configuration["AzureAd:ClientId"];
    var tenantId = Configuration["AzureAd:TenantId"];
    var issuer = $"https://sts.windows.net/{tenantId}/";

    services.AddAuthentication(options =>
    {
       options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
       options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
     })
      .AddJwtBearer(options =>
      {
        options.RequireHttpsMetadata = false;
        options.SaveToken = true;
        options.Authority = "https://login.microsoftonline.com/common/";

        options.TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = true,
            ValidIssuer = issuer,
            ValidateAudience = true,
            ValidAudiences = new string[] { clientId },
            ValidateLifetime = true
        };
      });
1
c#asp.net-coreazure-active-directory
Have exactly the same issue.Ben Temple-Heald
Looking at the same error, myself.Alex Dresko

1 Answers

0
votes

Well, I just fixed this in my code, although I'm still learning how all of this new stuff works. For me, I had to set IssuerSigningKey even though ValidateIssuerSigningKey was set to false. I don't know if any specific value is required, but I set mine to the same value I used when I signed the JWT token. 

options.TokenValidationParameters = new TokenValidationParameters
{
    ValidateAudience = false,
    ValidateLifetime = false,
    ValidateIssuer = false,
    ValidateIssuerSigningKey = false,
    IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("this is super secret")),
    ValidateActor = false
};