Reputation: 769
Token validation in WebApp WebApi Authentication using Azure AD?
Working on WebApp <=> WebApi Authentication scenario, where I get the JWT token from the Azure AD in the WebApp and pass the same to the WebApi. In the WebApi, generate a access token for Azure GraphAPI from the token from the WebApp to make calls to the GraphAPI for authorization.
Both the WebApp and WebApi are registered as a single application on the Azure tenant portal, as the users authentication is same for both WebApp and WebApi.
This is a intranet application and is open to all the users in AD. A couple of questions related to token validation or authentication.
- Do I need to verify the Tenant and the Audience in the token in both WebApp and WebApi?
- What other token validations do I need to perform in the WebApp, WebApi or in both?
As JWT token is digitally signed and encrypted. What would be implications of not doing validations in the WebApi, when the token is passed from the WebApp?
Please advise.
Upvotes: 1
Views: 468
Answers (2)
Reputation: 7141
After long time trying I come up with this:
First x5c key needs to be retrieved : https://login.windows.net/common/discovery/keys
Then, install https://github.com/auth0/node-jsonwebtoken Unfortunately the library does not support certificate verification. You need to convert it to a key(private or public).
Then the code would be:
function insertNewlines(certificate) {
for (var i = 64; i < certificate.length; i += 65) {
certificate = certificate.slice(0, i) + '\n' + certificate.slice(i);
}
return certificate;
}
function addBoundaries(certificate) {
return "-----BEGIN CERTIFICATE-----\n" + certificate + "\n-----END CERTIFICATE-----";
}
function getPEM(certificate) {
certificate = insertNewlines(certificate);
certificate = addBoundaries(certificate);
return certificate;
}
let id_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI...";
let cert = "MIIDBTCCAe2gAwIBAgIQZSAeaqWig4...";
var pemContent = getPEM(cert);
var jwt = require('jsonwebtoken');
jwt.verify(id_token, pemContent, function(err, decoded) {
//err Invalid signature
// decode - valid data
});
Upvotes: 1
Reputation: 5695
We do validations with Audience only(you can use tenant if your application is not multi tenant, but for us since it is multi tenant we use "common" as tenant).
If we don't do audience validation in our API, then ANY application that acquires a graph token can make a call to your application (the only validation that will happen is that the token is expired or not).
JWT token is not encrypted, it is base 64 encoded and you can use tools like http://jwt.calebb.net/ to see the properties in the token.
Upvotes: 1
Related Questions
- Validate JWT token in .Net
- .Net Core Web API manually validate Azure AD access Token and get user details
- How to make Azure AD access_token compliant for its signature validation outside Microsoft Graph APIs?
- Validating Azure AD ID Token on Web API
- Validate Azure Bearer Token from Frontend on Net Core WebApi Backend
- how to validate azure active directory token in webapi
- Validate AzureAD token in Web Api
- Azure Active Directory Verify Access Token in Web Api outside of Azure
- Azure AD - Validate Token
- Validate access token for WEB API protected by Azure AD