CODEWITHSUNDEEP
.netactive-directoryjwtazure-active-directory
Carlos Rodriguez
Carlos Rodriguez

Reputation: 2220

Windows Azure Active Directory Bearer Authentication

I'm trying to wrap my head around how to secure Web API resources with Azure Active Directory. Currently, I have an angular 2 app that is redirecting the user to the Azure AD login page, and receives an id_token in return. This id token is used in subsequent calls as a bearer token, and it seems to be working. My question is here.

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudience = ConfigurationManager.AppSettings["ida:ClientId"],
                    ValidateIssuer = true
                },
                Tenant = ConfigurationManager.AppSettings["ida:TenantId"]
            });
    }

It seems that here is where we do our validation of the bearer token. What I don't really understand is how it works. Is it communicating with Azure AD on every API call? If so, is this the ideal approach (in terms of performance)? If not, how does this stop someone from just creating their own token and hacking into the API?

I'm sure there's some vital piece of knowledge I'm missing to understand that, so if you have any resources I should read to understand this better, please suggest.

Thanks!

Upvotes: 3

Views: 1131

Answers (1)

Andre Teixeira
Andre Teixeira

Reputation: 783

You can define what attributes you want to be validated via TokenValidationParameters and/or you can create a notification to implement your own validator.

In the case of the code above you defined that ValidateIssuer = true - which means that the Issuer will be validated - or else, the middleware will check if the Issuer (iss claim in the token) matches the Tenant Id on which the app was registered (for example, if the application was registered on tenant contoso.com, the parameter validates if the token was actually issued by tenant contoso.com) - blocking a token generated by another tenant.

The ValidAudience = true tells the middleware to validate if the token generated was actually generated to your application. So there is no need to communicate against Azure AD every time.

See this MSDN article for more options for token validation.

Please also see below a great post about token validation:

http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/

Upvotes: 1

Related Questions