Reputation: 1150
Validating B2C JWT tokens in Asp.Net Core Web Api
I am using B2C to protect a WebApi in Asp.Net Core. My code is below. Do I need to validate the tokens or is the middleware doing it for me? I would think if everyone had to do this, it'd be easier for me to find some sample code, but I can't seem to get any real direction on this.
Yet, this B2C documentation states that my api do the validation.
I found a sample but it's not for Core and they're using CertificateValidator = X509CertificateValidator.None. Doesn't that defeat the purpose? And another sample here where they are doing it.
Don't I have to have the signing key from B2C and all that?
I can cobble together a solution from those, but do I actually need to do this?
Thanks in advance.
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AuthenticationScheme = Constants.B2CAuthenticationSchemeName,
AutomaticAuthenticate = false,
MetadataAddress = string.Format(
_identityConfig.B2CInfo.AadInstance,
_identityConfig.B2CInfo.Tenant,
_identityConfig.B2CInfo.Policies
.Where(p => p.IsDefaultSignUpSignInPolicy == true)
.First()
.Name),
Audience = _identityConfig.B2CInfo.ClientId,
TokenValidationParameters = new TokenValidationParameters
{
ValidateLifetime = true,
RequireExpirationTime = true,
RequireSignedTokens = true,
},
Events = new JwtBearerEvents
{
OnAuthenticationFailed = B2CAuthenticationFailed
}
});
Upvotes: 5
Views: 1475
Answers (1)
Reputation: 42020
Do I need to validate the tokens or is the middleware doing it for me?
The JWT bearer middleware does it for you (by default, it will automatically reject unsigned or counterfeit tokens, so you don't need to explicitly set RequireSignedTokens to true).
Doesn't that defeat the purpose?
There's a difference between validating a signature using a public asymmetric key (e.g RSA or ECDSA) embedded in a certificate and validating the certificate itself (and specially its chain). Signature validation is fully supported in ASP.NET Core, but certificate validation is not supported yet.
Don't I have to have the signing key from B2C and all that?
The JWT bearer middleware automatically retrieves it from B2C's discovery endpoint, so there's no need to do that manually. For more information, don't hesitate to read the OIDC discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html
Upvotes: 5
Related Questions
- Azure AD B2C - Token validation does not work
- How to verify JWT id_token produced by MS Azure AD with C# and .net?
- How to validate an Azure B2C JWT token in a web API?
- Validate scopes of B2C access token in an web API
- Azure B2C Apimanagement multitenant jwt validation
- Azure validating a JWT Token against the Azure B2C active directory
- Validating Azure B2C Token in app that didn't authenticate user
- JWT Token validation
- .NET core JWT validation with Azure B2C
- JWTBearer Token Validation in Azure Apps