Secure .Net Core 3 Web API with AAD Token

1
votes

Due to some technical constraints, we are doing Username/Password AAD authentication when user login.

Users will input their username and password into our custom login page and our application calls IPublicClientApplication.AcquireTokenByUsernamePassword.

I'm planning to use the returned token to call another Web API application(also connecting to the same AAD). In the Web API application, I did the following:

  1. Added the following code in startup services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme).AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

  2. include the following settings in my appsettings.json file
    "AzureAd": { "Instance": "https://login.microsoftonline.com/", "ClientId": "<Application ID>", "TenantId": "<Tenant ID>" }

  3. Secure my web api using [Authorize]

I then use Postman to construct a call to the Web API based on the returned token. I included Authorization: Bearer <JWT Token>. The Web API returns

Bearer error="invalid_token", error_description="The signature is invalid"

My questions are

  1. Can Web API application validate the username/password acquired token?
  2. If the token can be validated in Web API application, how can I do it since I'm getting the above error?
2
azure-active-directoryasp.net-core-webapi
Can u kindly check if the application has any roles assigned in the AAD?Deepak Tatyaji Ahire

2 Answers

2
votes

I test in my site and it work well, you could refer to the following steps:

1.Register Webapi app in azure ad.

2.Click Expose an API and Add a scope e.g. webread.

enter image description here

3.Click Manifest, change accessTokenAcceptedVersion to 2.0.

enter image description here

4.In visual studio webapi ConfigureServices:

services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme).AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, 
options =>
{
    options.Authority += "/v2.0";
    options.TokenValidationParameters.ValidAudiences = new[]
    {
        options.Audience,
        $"api://{options.Audience}"
    };
});

5.Register client app in azure ad.

6.Click Authentication, set Default client type as Yes. enter image description here

7.Click Api Permission>Add a permission, select My APIs and choose the webapi your registered before.

enter image description here

8.In visual studio client app, set scope with webread:

string[] scopes = new string[] { "api://1890e822-xxxxxxxxxxxxxxxx/webread" };

Hope it helps you.

0
votes

From the document you provided you are using MSAL to get access token using Resource Owner Flow in Azure AD V2.0 endpoint .

From document , when validating access token which issued from Azure AD V2.0 , you should add /v2.0 to Authority :

services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
    // This is a Microsoft identity platform web API.
    options.Authority += "/v2.0";

    // The web API accepts as audiences both the Client ID (options.Audience) and api://{ClientID}.
    options.TokenValidationParameters.ValidAudiences = new []
    {
    options.Audience,
    $"api://{options.Audience}"
    };

});