6
votes

My SPA application (using Aurelia) calls my ASP.NET Core 2 Web API. I need to authenticate users with Google OIDC provider and also secure the Web API with the same method.

Currently I'm able to authenticate user on the client (SPA) side and retrieve id token and access token. With each API call I send the access token in the header.

Now I'm not sure how to handle the server side to validate the token and grant or deny the access to the API. I followed official docs how to add external login providers, but it seem to work only for server-side MVC applications.

Is there any easy way how to do this?

I think for instance IdentityServer4 can support this scenario, but it seems to me too complex for what I need to do. I don't need my own identity/authorization server after all.

Update:

Based on Miroslav Popovic answer, my configuration for ASP.NET Core 2.0 looks like this:

public void ConfigureServices(IServiceCollection services)
{
  services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o =>
  {        
    o.Authority = "https://accounts.google.com";
    o.TokenValidationParameters = new TokenValidationParameters
    {
      ValidIssuer = "accounts.google.com",
      ValidAudience = "xxxxxxxxxxxxx.apps.googleusercontent.com",
      ValidateAudience = true,
      ValidateIssuer = true
    };
  });

  services.AddMvc();
}

And in Configure() I call app.UseAuthentication().

When using this setup I get failure message No SecurityTokenValidator available for token.

Update 2:

I made it work. The server configuration is correct. The problem was I was sending access_token to the API instead of id_token.

1

1 Answers

4
votes

Since you already have the access token, it shouldn't be too hard to use it to add authentication. You would need something along these lines (not tested):

// Inside Startup.cs, ConfigureServices method
services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(
        options =>
        {
            var tokenValidationParameters = new TokenValidationParameters
            {
                ValidIssuer = "accounts.google.com",
                ValidateAudience = false
            };

            options.MetadataAddress = "https://accounts.google.com/.well-known/openid-configuration";
            options.TokenValidationParameters = tokenValidationParameters;
    });

// Inside Startup.cs, Configure method
app.UseAuthentication(); // Before MVC middleware
app.UseMvc();

// And of course, on your controllers:
[Authorize]
public class MyApiController : Controller

This post from Paul Rowe might help some more, but note that it's written for ASP.NET Core 1.x and authentication APIs changed a bit in 2.0.

There is also a lot of info here on SO, like this question.