How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API?

1
votes

How to Validate OpenID Connect Access Token generated by Azure AD (v2!!!) in ASP.NET core WEB API?

The Scenario is:

I have an Angular 8 Client Application which is getting an OpenID Connect access Token after Login. The Client can call the API along with the Access Token. But Question is, How should I validate that Token in ASP.NET core API?

With this code I get an Authorize Error without any descriptions.

  services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
             .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

        services.AddCors(options =>
        {
            options.AddDefaultPolicy(
                builder =>
                {
                    builder.AllowAnyOrigin();
                    builder.AllowAnyMethod();
                    builder.AllowAnyOrigin();
                    builder.AllowAnyHeader();
                });
        });

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (). Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: AzureADJwtBearer was challenged.

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "localhost",
"TenantId": "myTenantId",
"ClientId": "myClientId"

},

1
c#angularazure-active-directoryasp.net-core-webapiopenid-connect
please verify the configuration fileMukul Keshari

1 Answers

2
votes

The Domain is not localhost . You need specify the TenantId only if you want to accept access tokens from a single tenant . Otherwise, you can leave them set to common:

This value can be:
- A GUID (Tenant ID = Directory ID)
- 'common' (any organization and personal accounts)
- 'organizations' (any organization)
- 'consumers' (Microsoft personal accounts)

And you should change to use the Microsoft identity platform endpoint(Azure AD V2.0 endpoint) by adding this code to the Startup.cs file:

services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
    // This is a Microsoft identity platform web API.
    options.Authority += "/v2.0";

    .....
});

You can click here for detail explanation and code sample .