Reputation: 7959
How to configure JwtBearerOptions to include policy name in well-known openid-configuration URL?
I'm trying to add some bearer token verification to my ASP.NET web application. I'm using the built-in JWT authentication code, configured to use the following code ...
services.AddAuthentication(ConfigureAuthentication).AddJwtBearer(ConfigureJwt);
Which runs the following functions ...
private void ConfigureAuthentication(AuthenticationOptions options)
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}
private void ConfigureJwt(JwtBearerOptions options)
{
var directoryId = Configuration["AzureAd:DirectoryId"];
var directoryName = Configuration["AzureAd:DirectoryName"];
var policy = Configuration["AzureAd:SigninPolicyName"];
options.Audience = Configuration["AzureAd:ApplicationId"];
options.Authority = $"https://{directoryName}.b2clogin.com/{directoryName}.onmicrosoft.com/v2.0";
}
The ConfigureJwt method is the one I'm dealing with. I can't seem to get the underlying JWT code to fetch the openid-configuration from the appropriate URL. It's very close, but it's lacking the policy from the URL. Here is what my above code generates and tries to fetch the openid-configuration from ...
https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration
And here is what it is supposed to fetch the configuration from, as specified from the Azure portal ...
https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignInPolicy
As you can see, my code above is lacking the policy name.
I can't seem to figure out how to specify this anywhere. Does anybody know how to configure JwtBearerOptions so that it includes this policy name?
Upvotes: 0
Views: 551
Answers (2)
Reputation: 7959
I got an answer from a MS employee about how to appropriately do this. You can set the meta address, which is the address from which the configuration is fetched. This way you can keep the authority set to what Azure says it should be, meanwhile have a dynamic meta address. Below is how MS suggests solving this ...
public void ConfigureServices(IServiceCollection services)
{
services.Configure<AuthenticationOptions>(configuration.GetSection("Authentication:AzureAd"));
var serviceProvider = services.BuildServiceProvider();
var authOptions = serviceProvider.GetService<IOptions<AuthenticationOptions>>();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) // sets both authenticate and challenge default schemes
.AddJwtBearer(options =>
{
options.MetadataAddress = $"{authOptions.Value.Authority}/.well-known/openid-configuration?p={authOptions.Value.SignInOrSignUpPolicy}";
options.Audience = authOptions.Value.Audience;
});
}
Upvotes: 0
Reputation: 58723
I think the Authority needs to be:
https://{directoryName}.b2clogin.com/{directoryName}.onmicrosoft.com/B2C_1A_signup_signin/v2.0
Replace B2C_1A_signup_signin with your policy id.
That contains the policy id and it'll download the metadata from the correct place.
Upvotes: 2
Related Questions
- Change JWT payload format with Azure B2C custom policies
- Azure APIM Policy Editor
- Azure AD B2C how to configure the "aud" claim
- Azure Active Directory B2C Custom Policy - Incoming name claims from jwt invite policy
- Specifying Client secrets in JwtBearerOptions for Azure Active Directory authentication
- Modify the JwtIssuer ClaimsProvider in the custom policy to achieve the JWE in AD B2C
- Azure validating a JWT Token against the Azure B2C active directory
- Azure AD jwks uri configuration
- How do you use NGINX auth_jwt directives with Azure Active Directory B2C custom policies?
- StorageReferenceId for JWT Input Claim in Azure AD B2C