CODEWITHSUNDEEP
c#angularazure-active-directoryasp.net-core-webapiopenid-connect
Enis
Enis

Reputation: 95

How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API?

How to Validate OpenID Connect Access Token generated by Azure AD (v2!!!) in ASP.NET core WEB API?

The Scenario is:

I have an Angular 8 Client Application which is getting an OpenID Connect access Token after Login. The Client can call the API along with the Access Token. But Question is, How should I validate that Token in ASP.NET core API?

With this code I get an Authorize Error without any descriptions.

  services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
             .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

        services.AddCors(options =>
        {
            options.AddDefaultPolicy(
                builder =>
                {
                    builder.AllowAnyOrigin();
                    builder.AllowAnyMethod();
                    builder.AllowAnyOrigin();
                    builder.AllowAnyHeader();
                });
        });

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (). Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: AzureADJwtBearer was challenged.

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "localhost",
"TenantId": "myTenantId",
"ClientId": "myClientId"

},

Upvotes: 1

Views: 3699

Answers (1)

Nan Yu
Nan Yu

Reputation: 27538

The Domain is not localhost . You need specify the TenantId only if you want to accept access tokens from a single tenant . Otherwise, you can leave them set to common:

This value can be:
- A GUID (Tenant ID = Directory ID)
- 'common' (any organization and personal accounts)
- 'organizations' (any organization)
- 'consumers' (Microsoft personal accounts)

And you should change to use the Microsoft identity platform endpoint(Azure AD V2.0 endpoint) by adding this code to the Startup.cs file:

services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
    // This is a Microsoft identity platform web API.
    options.Authority += "/v2.0";

    .....
});

You can click here for detail explanation and code sample .

Upvotes: 2

Related Questions