Migrate ASP.NET Framework to ASP.NET Core 3.1 with JWT Bearer authentication from ADFS

1
votes

ASP.NET Framework

We have an existing ASP.NET Framework website which does authenticating using ActiveDirectoryFederationServicesBearerAuthentication:

    app.UseActiveDirectoryFederationServicesBearerAuthentication(
            new ActiveDirectoryFederationServicesBearerAuthenticationOptions
            {
                MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
                TokenValidationParameters =
                    new TokenValidationParameters
                    {
                        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
                        RequireSignedTokens = true
                    }
            });

Value of "ida:AdfsMetadataEndpoint" is:

https://< adfs-server >/FederationMetadata/2007-06/FederationMetadata.xml

We have an ADFS 3.0 server (running on Windows Server 2012 R2) issuing these JWT tokens.

ASP.NET Core 3.1

As we are migrating our webserver over til ASP.NET Core 3.1, we want to continue using the same ADFS 3.0 server to issue JWT tokens to our website.

But I'm having problems configuring the new server to validate tokens from the ADFS 3.0 server. Here is what I've tried:

JwtBearerAuthentication

From my understanding, the JwtBearerAuthentication requires ADFS 4.0 which supports OpenIDConnect?

I have found this workaround which should work in my case, but it seems like a bit of a hack to store the issuer signing key in my application. What if it changes on the ADFS?

WsFederationAuthentication

I followed this guide, but it seems to me that this does not support Bearer authentication?

Conclusion

What is the ASP.NET Core equivalent of ActiveDirectoryFederationServicesBearerAuthentication using JWT Bearer Tokens issued from ADFS 3.0?

1
authenticationasp.net-corejwtadfs3.0

1 Answers

0
votes

ADFS 2012 R2 can issue JWT tokens but does not support OIDC discovery it doesn't expose metadata using the openid connect discovery spec . So you can use AddJwtBearer extension in asp.net core web api , but need to manually configuring issuer, audience and signing key as the workaround your provide and here shows . Of course if you can upgrade your ADFS instance to "4.0", which will make the scenario easier to implement.