0

I have a xamarin mobile app that users Azure ad to authenticate it's users.

I would like to use the the token that is stored on the app to access data on an api. I have this working on an old api but I have created an asp.net core api and i would like to use the same token as i slowly migrate the data access from one api to the other.

I have set up access in the asp.net core startup class as follows

            services.AddAuthentication(sharedoptions =>
        {
        sharedoptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        sharedoptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
               })
         .AddJwtBearer(options =>
            {
        options.Authority = "https://login.microsoftonline.com/{ad name}.onmicrosoft.com";
        options.Audience = "api://{app service guid}";

        options.TokenValidationParameters = new `enter code here`Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidAudiences = new List<String> { "{app service guid}" },
            ValidIssuers = new List<string> { "[https://login.microsoftonline.com/{Azure AD guid}/v2.0/token"}
        };
    });

I test with post man and get unauthorised status on the asp.net core api, but an OK (authorised) status on the old api so i know the token is working.

Does my set up appear to be correct or am i missing some configuration?

flowagss
  • 25
  • 8
  • You should request a new token for asp.net core api instead of using the previous token. You should not be validating an access token that is not meant for you. You can refer to my previous answer: https://stackoverflow.com/questions/63410297/how-to-make-azure-ad-access-token-compliant-for-its-signature-validation-outside/63449621#63449621 – Carl Zhao Aug 24 '20 at 06:44

1 Answers1

1

You can change your this piece of code like below in case you are using B2C:

services.AddAuthentication(options =>
              {
                  options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
              })
                .AddJwtBearer("ADB2C", jwtOptions =>
                {
                    jwtOptions.Authority = $"{appConfiguration.AppSettings.Adb2cInstance}/{appConfiguration.AppSettings.Adb2cDomain}/{appConfiguration.AppSettings.Adb2cPolicy}/v2.0/";
                    jwtOptions.Audience = appConfiguration.AppSettings.Adb2cClientId;
                    jwtOptions.RequireHttpsMetadata = bool.Parse(configuration["AppSettings:RequireHttpsMetadata"]); //// NOTE:: This is set only for dev purposes. Remove for higher environments.
                    jwtOptions.Events = new JwtBearerEvents
                    {
                        OnAuthenticationFailed = arg =>
                        {
                            // invoked if authentication fails
                            return Task.FromResult(0);
                        }
                    };
                });
               
            services.AddAuthorization(options => 
            {
                options.DefaultPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().AddAuthenticationSchemes("ADB2C").Build();
            });
Harshita Singh
  • 4,590
  • 1
  • 10
  • 13
  • @flowagss, if the above response answers your question, you can click on green tick and accept it as answer for helping other community folks. – Harshita Singh Aug 24 '20 at 11:56