AzureAD and AzureADBearer in asp.net core app, gives invalid signature error

2
votes

I am using AzureAD in asp.net core 2 app. I want to use cookie and bearer authentication both. I have following code in startup file:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        //options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options))
            .AddAzureADBearer(options => Configuration.Bind("AzureAdClient", options));


    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"), sqlServerOptions => sqlServerOptions.CommandTimeout(120)));


    //services.AddMvc();
    services.AddMvc(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();
        //options.Filters.Add(new AuthorizeFilter(policy));
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

}

I have added authorized attribute as: 

[Authorize(AuthenticationSchemes = "AzureADBearer")]

Now when hitting from postman, i can get the bearer token, but when i am using that token to access this API, i am getting signature invalid error:

WWW-Authenticate →Bearer error="invalid_token", error_description="The signature is invalid"

Any Ideas?

2
asp.net-coreazure-active-directory
Shouldn't the authorized attribute be Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]Tony Ju
Here is a sample for your reference. github.com/Azure-Samples/…Tony Ju
What is your AzureAdClient config ? Does the config is correct for validating the token ?Nan Yu
@NanYu, this config is for the new client app registered on Azure AD. I have added this new app as client in the API app. So i have two apps on Azure AD, one for WebAPI and one for client.Sid

2 Answers

0
votes

Try something like below , It should work.

services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
    sharedOptions.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
})
.AddAzureAD(options => Configuration.Bind("AzureAd", options))
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

and in controller application, you can set the schema like this:

[HttpGet]
[Authorize(AuthenticationSchemes = "AzureADBearer")]
public IEnumerable<string> Get()
{
    return new string[] { "value1", "value2" };
}

Hope it helps.

0
votes

Well, I solved this. Now in asp.net core web + API project, I am using only the API specific AzureAD setting. For Postman and mobile application, I have created a new app registration and added scope for earlier app registration (API app registration), which have user impersonation and access as user permissions.