1


I've got .net core web api that is running on machine in company intranet A and that has no internet access.
Then I have website in intranet B which is authenticated in Azure AD.
I want to send request to from B to A with Header Authentication: JwtTokenFromAzure.
What is the best option to validate this token?

Sabir Khan
  • 9,826
  • 7
  • 45
  • 98
krkozlow
  • 55
  • 6

1 Answers1

4

To validate an id_token or an access_token, your app should validate both the token's signature and the claims. You could manually validate the token by using jwt.io or you could also use the code.

To manually validate the token, you should first validate the token's signature. Tokens issued by Azure AD are signed using industry standard asymmetric encryption algorithms, the header of the JWT contains information about the key and encryption method used to sign the token.

enter image description here

Note:alg claim indicates the algorithm that was used to sign the token, while the kid claim indicates the particular public key that was used to sign the token. The v1.0 endpoint returns both the x5t and kid claims, while the v2.0 endpoint responds with only the kid claim.

This is a v1 token header sample. Here you could use the kid value to find the related public key(x5c) in the jwks_uri by using the OpenID Connect metadata document.

enter image description here

And then in the jwt.io, paste the x5c value in the public key box with the format:

enter image description here

and the format like this: enter image description here

For the details, you could read here.

If you want to use code to validate the token, there is a sample for you:

public JwtSecurityToken Validate(string token)
 {
     string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";

     ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);

     OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;

     TokenValidationParameters validationParameters = new TokenValidationParameters
     {
         ValidateAudience = false,
         ValidateIssuer = false,
         IssuerSigningTokens = config.SigningTokens,
         ValidateLifetime = false
     };

     JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();

     SecurityToken jwt;

     var result = tokendHandler.ValidateToken(token, validationParameters, out jwt);

     return jwt as JwtSecurityToken;
 }

For the details about the code sample, please refer to this case.

SunnySun
  • 1,900
  • 1
  • 6
  • 8
  • 1
    In case anybody runs into this, if your token contains a nouce field in the header, it is not possible to validate the token's signature. MS expects you to validate it essentially by making a call to the graph API. If the token is valid, the call will succeed. Otherwise it will fail. See: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609 – RMD Feb 06 '19 at 13:14