Reputation: 913
Using OpenID access_token on a .NET Core API
I have an angular application that's authenticating users using OpenID, in which I have access to the access_token that should be used to authenticate against other services.
I'm currently using the Authetication Code flow of OAuth/OpenID
I am trying to use that access_token to authenticate users on a .NET Core Web API. Whatever combination of settings I make here doesn't seem to get me any closer to the solution.
Startup.cs
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = oauthOptions.Authority;
options.ClientId = oauthOptions.ClientId;
options.ClientSecret = oauthOptions.ClientSecret;
options.ResponseType = OpenIdConnectResponseType.Code;
options.UsePkce = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
oauthOptions.Scopes.ForEach(scope => options.Scope.Add(scope));
});
I appreciate any guidance/link on this.
Upvotes: 3
Views: 2182
Answers (1)
Reputation: 100791
In this case what you most likely need is JWT Bearer Authentication or a Token Introspection library which validates the access token against the Identity Provider.
For JWT, This is provided via the Microsoft.AspNetCore.Authentication.JwtBearer NuGet package and can be used like this:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://url.to.your/identity-provider";
options.Audience = /* your expected audience - e.g. guid or resource */;
});
This way you can get and update JWT Bearer access tokens in your SPA application and send authenticated requests to the API backend (using Authorization: Bearer ... headers).
If your identity provider uses reference tokens (i.e., they don't contain the authentication information but instead need to be used to get the authentication information from the identity provider), you will need to use token introspection. This is - for example - provided by third party libraries like IdentityModel.AspNetCore.OAuth2Introspection
Example for using IdentityModel.AspNetCore.OAuth2Introspection:
services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
.AddOAuth2Introspection(options =>
{
options.Authority = "https://url.to.your/identity-provider";
// Introspection requires client credentials to authenticate the requests
options.ClientId = "client_id_for_introspection_endpoint";
options.ClientSecret = "client_secret_for_introspection_endpoint";
});
Upvotes: 5
Related Questions
- Getting access token to call an API from my ASP.NET Core 5 MVC web app
- Asp.net core API authenticate with AzureAD Token
- .NET Core Api authentication using Identity server 4
- .NET Core WebApi Authentication & Authorization via Azure
- Secure .Net Core 3 Web API with AAD Token
- How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API?
- Setting up OpenID Connect for .NET Core Web API
- Can I use Access Tokens and Identity Tokens in my ASP.NET Core 2.0 API?
- Authorize at web app with access token from web api
- Get Token Using OpenId Connect against Azure Active Directory