CODEWITHSUNDEEP
oauth-2.0owinazure-active-directoryopenid-connectadal
kodbuse
kodbuse

Reputation: 1010

OpenIdConnectAuthenticationOptions and AcquireTokenByAuthorizationCodeAsync: Invalid JWT token

I'm trying to authorization code, and then hopefully a refresh token, with the OWIN OIDC middleware. However, I'm getting this error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 'AADSTS50027: Invalid JWT token. AADSTS50027: Invalid JWT token. Token format not valid. Trace ID: 8622dfea-05cd-4080-a52c-ec95a9593800 Correlation ID: 1cf57566-1e02-4856-a4bc-357d5b16ae8a

Note that the authentication part works: I do get the original IdToken back, and the SecurityTokenValidated Notifications event fires. The error above occurs on the "AcquireTokenByAuthorizationCodeAsync" line.

What I'm trying to do is use IdentityServer as an IdP inbetween Azure AD (upstream) and my client (downstream), and I need to capture the refresh token to validate against AAD when then client tries to use the downstream refresh token, so that I don't issue access tokens when the AAD user has been locked out or removed.

var authority = "https://login.microsoftonline.com/xxx.onmicrosoft.com/v2.0";
var clientId = "xxx-30f5-47c2-9ddb-b5fcfd583f96";
var redirectUri = "http://localhost:60546/oidcCallback";
var clientSecret = "c8RRB4DCUiXMPEotQh2jm2ArgpYAqUMjGhDRKuuJOxxx";

var oidc = new OpenIdConnectAuthenticationOptions
{
    ClientId = clientId,
    Authority = authority,
    Caption = "OIDC",
    ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
    RedirectUri = redirectUri,
    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
    SignInAsAuthenticationType = signInAsType,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        AuthorizationCodeReceived = async e =>
        {   
            var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
            var result = await authContext.AcquireTokenByAuthorizationCodeAsync(e.ProtocolMessage.Code, new Uri(redirectUri), new ClientAssertion(clientId, clientSecret));
            logger.Info(result.IdToken);
        }
    }
};

app.UseOpenIdConnectAuthentication(oidc);

Thanks!

Upvotes: 3

Views: 5582

Answers (1)

juunas
juunas

Reputation: 58733

One thing that I can see is wrong is that you should use ClientCredential, not ClientAssertion:

var result =
    await authContext.AcquireTokenByAuthorizationCodeAsync(
         e.ProtocolMessage.Code,
         new Uri(redirectUri),
         new ClientCredential(clientId, clientSecret));

And then the second thing. You are using ADAL, but seems like you are using the v2 endpoint. I assume you registered the app at apps.dev.microsoft.com?

In that case you should use MSAL (https://www.nuget.org/packages/Microsoft.Identity.Client).

The API for MSAL is a bit different, you use a class called ConfidentialClientApplication instead of AuthenticationContext (in this case). Here is a snippet from a sample app:

var cca = new ConfidentialClientApplication(clientId, redirectUri, new ClientCredential(appKey), userTokenCache, null);
string[] scopes = { "Mail.Read" };
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);

Sample app: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-v2

Upvotes: 6

Related Questions