I am using Azure AD for authentication. I am able to get an identification token and information about the user like this:
// Add default authentication scheme
Microsoft.AspNetCore.Authentication.AuthenticationBuilder authenticationBuilder = services.AddAuthentication(configureOptions =>
{
configureOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
configureOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
configureOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
// Add my own JWT handler
authenticationBuilder.AddScheme<MyOwnJwtBearerAuthenticationSchemeOptions, MyOwnJwtBearerAuthenticationHandler>(
MyOwnJwtBearerDefaults.AuthenticationScheme,
configureOptions =>
{
//Some config goes here
}
);
authenticationBuilder.AddCookie();
string oidcInstance = configuration["AzureAd:Instance"]!;
string oidcDomain = configuration["AzureAd:Domain"]!;
string oidcClientId = configuration["AzureAd:ClientId"]!;
string oidcTenantId = configuration["AzureAd:TenantId"]!;
string oidcClientSecret = configuration["AzureAd:ClientSecret"]!;
authenticationBuilder.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = $https://login.microsoftonline.com/{oidcTenantId}/v2.0/;
options.ClientId = oidcClientId;
options.ClientSecret = oidcClientSecret;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.CallbackPath = "/signin-oidc";
options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(oidcInstance).Validate;
options.GetClaimsFromUserInfoEndpoint = true;
options.Events.OnUserInformationReceived = userInformationReceivedContext =>
{
//Get infor about the user
if (userInformationReceivedContext.Principal is { })
{
System.Security.Claims.Claim? userIdClaim = userInformationReceivedContext.Principal.Claims.FirstOrDefault(obj => obj.Type == "preferred_username");
if (userIdClaim is null)
{
throw new Exception("Identity token from Azure AD does not contain an expected claim 'preferred_username'.");
}
// HERE I HAVE ALL I NEED TO GENERATE AN ACCESS TOKEN
// BUT THIS IS THE WRONG PLACE
int lifetimeInMinutes = 5;
string jwt = MyTokenRules.GenerateJwt(userId: userIdClaim.Value, issuer: jwtSettings.Issuer, audience: jwtSettings.Audience, key: Environment.GetEnvironmentVariable(jwtSettings.SecretKeyName) ?? String.Empty, duration: TimeSpan.FromMinutes(lifetimeInMinutes));
}
return Task.CompletedTask;
};
});
Where do I "exchange" identification token for my own self-signed access token which will live in the browser (probably in a cookie)? I say "exchange" because some information from the identification token will need to be passed to the access token such as the "preferred_username" claim which will become the "sub" claim in the access token.
