Reputation: 3025
401 unauthorize exception for multitenant web api
Need help in authenticating the token request from any client application to WEB API. We have registered our web API has multi-tenant application in Azure AAD. My client application which has been registered in different tenant was able to get Access token from AAD.while making Http request to our endpoint with passing the access token part of request header, we are receiving 401 unauthorized exception. I found reason while browsing for multi tenant scenario is to disable ValidateIssuer and have custom handler.
• Is there any custom handler on implementing for WindowsAzureActiveDirectoryBearerAuthentication. I see people are using OpenIDConnect. But for WEB API, we are using WindowsAzureActiveDirectoryBearerAuthentication i.e Is there any equivalent Event for validation of access token in UseWindowsAzureActiveDirectoryBearerAuthentication and tell user is authenticated ?.
• Is there any better standard of validation of access token and tell user is valid user ?.
• Can we get the claims of user by passing bearer token to WEBAPI Authorize filter ?. or will httprequest object claims gets user information like given name, tenant name, object ID (esp. localhost debugging scenario also.), If we can get those information, we can have our own logic of validation.
Please let us know whether this approach is best practice for authenticating a user.
Upvotes: 1
Views: 428
Answers (1)
Reputation: 27538
You could implement a custom issuer validator and assign it to the IssuerValidator property. This is useful when you can't specify a predefined list of issuers in configuration and need some runtime logic to determine if you trust the issuer presented in the token:
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
IssuerValidator = (issuer, token, tvp) =>
{
if (db.Issuers.FirstOrDefault(b => (b.Issuer == issuer)) == null)
return issuer;
else
throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}
}
You could decode the access token to get basic user information like family_name/given_name , but you can only get that by using user identity to acquire the access token .
Upvotes: 0
Related Questions
- ASP.NET Web API authorized using Azure AD: Authorization has been denied
- Web API Authorize Attribute with Azure AD returning 401 Unauthorized for daemon app
- Azure AD API request 401 Unauthorized
- Get 401 Unauthorised calling WebApi from another WebAp on behalf of api (not user)
- Secure web api with AAD -Authorization has been denied for this request
- Web API (.NET Framework) Azure AD Authentication always returns 401 Unauthorized
- Azure AD: Calling web API gives error 401
- Azure AD authentication token fails web api authorization
- 401 error when authenticating to an Azure API App using AAD
- Azure Active Directory Web Api not working