HTTP 500 using OAuthAuthentication with Azure Active Directory to secure ASP.NET 5 Web API

Question

For context, I have OpenIdConnect with an ASP.NET 4 Web App working using Owin (and a lot of help from Modern Authentication with Azure Active Directory for Web Applications.

I now want to secure a separate ASP.NET 5 Web API project (to be hosted in the same AD tenant in Azure as a microservice). I started with the simple ASP.NET 5 WebApi generated in Visual Studio and added the following to the Configure in Startup.cs (at the beginning of the pipeline):

app.UseOAuthAuthentication(new OAuthOptions()
{
    ClientId = "71d33a1c-505c-4815-a790-8494dd2bb430",
    ClientSecret = "LajQFbf1/Nyt/6zCP5vE5YWj5VC4aNaC3i/SRtEj2sI=",
    TokenEndpoint = "https://login.microsoftonline.com/7058f4f0-619f-4c16-ac31-9e209d70ff23/oauth2/token",
    AuthorizationEndpoint = "https://login.microsoftonline.com/7058f4f0-619f-4c16-ac31-9e209d70ff23/oauth2/authorize",
    AuthenticationScheme = "OAuth2Bearer",
    CallbackPath = "/api/values"
});

This gives me an error that indicates SignInScheme must be provided, but I'm not clear on what that value should be. If I add in a string, say "OAuth2Bearer", I get further, but still get a 500 error on the request, but no exception raised in the API app, nor does the breakpoint on the first line in my API controller implementation get hit.

What am I missing? Ideally, I want to then extend the Events of OAuthOptions to add a custom claim, analogous to what I did with OpenIdConnect and the SecurityTokenValidated notification.

You have, of course, either used a fake client secret, or rotated it now, right? — blowdart, Mar 29 '16 at 22:10
yeah, it's toast... although leaving it open to entice people to solve my issue was considered — Jim O'Neil, Mar 29 '16 at 22:41

score 3 · Answer 1 · edited May 23 '17 at 12:15

The OAuth2 base middleware cannot be used for token validation as it's an OAuth2 client middleware made for handling interactive flows like the authorization code flow. All the existing OAuth2 social providers (e.g Facebook or Google) inherit from this middleware.

You're actually looking for the JWT bearer middleware:

app.UseJwtBearerAuthentication(options => {
    options.AutomaticAuthenticate = true;
    options.AutomaticChallenge = true;

    options.Authority = "[address of your OIDC server]";
    options.Audience = "[audience of the access tokens issued by the OIDC server]";
});

To learn more about the different OAuth2/OIDC middleware in ASP.NET Core, don't miss this other SO post: Configure the authorization server endpoint.

HTTP 500 using OAuthAuthentication with Azure Active Directory to secure ASP.NET 5 Web API

1 Answers1