Web API authentication using OAuth 2.0 token and Azure Active Directory (Without Authentication Server)

Question

Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?

Here is the scenario:

• A client app gets an Microsoft access_token from some external service.

• Client app will make a call to some secured web API and pass that access_token along with the request header

• If the access_token passed by client is valid then API will provide response to the client.

Is there a way to validate that access_token on API side?

My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:

But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?

Answer 1

You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory

Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API

This library is also available, but I think OWIN is supposed to have replaced it in general.

Also check out this blog post, which has a pretty great deep dive into token validation.