Reputation: 9358
What exact token validation is done by Microsoft.Identity.Web’s aspnet core middleware?
I am building an aspenet core application that uses AAD (B2c later on) to authenticate users.
I understand that OAuth2 and OpenID Connect JWT tokens must be validated. It is very important.
I am going through this code example:
The example uses this Microsoft.Identity.Web's middleware for authentication.
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
Which of the following validations is done by the above middleware?
- Validate JWT's signature
- Validate not before and expiration time
- Validate nonce
Is there any documentation that confirms what exact validations are done automatically by Microsoft.Identity.Web and what type of validation I need to do manually (I think issuer claim is a manual code)
Upvotes: 2
Views: 3192
Answers (1)
Reputation: 4612
Microsoft.Identity.Web - The main package. Required by all apps that use Microsoft Identity Web
Microsoft recommends you use the Microsoft.Identity.Web NuGet package when developing a web API with ASP.NET Core.
It has lot of dependecies you can check the detailse from this Link
One of Dependecies is for .NetCoreApp3.1 is Microsoft.AspNetCore.Authentication.JwtBearer (>= 3.1.18)
The JwtBearer middleware, like the OpenID Connect middleware in web apps, validates the token based on the value of TokenValidationParameters. The token is decrypted as needed, the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:
Audience: The token is targeted for the web API.
Sub: It was issued for an app that's allowed to call the web API.
Issuer: It was issued by a trusted security token service (STS).
Expiry: Its lifetime is in range.
Signature: It wasn't tampered with.
for more information you can follow this MS documention.
Upvotes: 3
Related Questions
- How does AddMicrosoftIdentityWebApi know how to verify the Bearer token?
- Asp.net core web api - what happens behind the scenes when the web api validates a JWT token against Azure AD
- How does application validate the authenticated token from Azure Active Directory?
- does the SecurityTokenValidated callback automatically validate the token using Owin Middleware
- How does .net core web api jwtbearer middleware verify OpenID Connect token with authentication provider
- How does Azure AD validates against the windows credentials[ login.microsoftonline.com/ <tenant_id>/oauth2/authorize ]
- How does the openid connect owin validate the token from Azure AD?
- How does API protected resource validate access token on Identity Server 4?
- How do identity server validate the token at API or when we use Authorize attribute?
- azure-ad-jwt how does it validate the token