active-directory-dotnet-webapi-manual-jwt-validation | manually process a JWT access token | Authentication library
kandi X-RAY | active-directory-dotnet-webapi-manual-jwt-validation Summary
kandi X-RAY | active-directory-dotnet-webapi-manual-jwt-validation Summary
A Web API that accepts bearer token as a proof of authentication is secured by validating the token they receive from the callers. When a developer generates a skeleton Web API code using Visual Studio, token validation libraries and code to carry out basic token validation is automatically generated for the project. An example of the generated code using the asp.net security middleware and Microsoft Identity Model Extension for .NET to validate tokens is provided below.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-dotnet-webapi-manual-jwt-validation
active-directory-dotnet-webapi-manual-jwt-validation Key Features
active-directory-dotnet-webapi-manual-jwt-validation Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-dotnet-webapi-manual-jwt-validation
QUESTION
I'm trying to follow the example validation code in https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-manual-jwt-validation/
(REALLY the code in https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/master/TodoListService-ManualJwt/Global.asax.cs#L136)
I fetch the issuer/signing keys from: https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/.well-known/openid-configuration
- getting issuer: issuer":"https://sts.windows.net/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/"
-
which produces token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCJ9.eyJhdWQiOiI0NjNmODQ3Mi1kZmYzLTQwZDAtOGVjNS1kYTJkOWJhOWMzNDgiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZWZhMzAzOGEtNTc1Yi00MmVhLThiYTEtNDgzY2Y3ZjBiZGI2L3YyLjAiLCJpYXQiOjE1NTYxNTE5NTQsIm5iZiI6MTU1NjE1MTk1NCwiZXhwIjoxNTU2MTU1ODU0LCJhaW8iOiJBVFFBeS84TEFBQUFCUnZQS3kyS2svRGZvc0VhbkZHRkdKOHBSdTd1ZldOY0FMakpBYzI4TnBjdmNsRXJwTVo5VnFQYnhXYkhxUGhVIiwibmFtZSI6Imxld2lzIiwibm9uY2UiOiI2Nzg5MTAiLCJvaWQiOiI3MjM4ZDc1ZS0zN2M3LTRkZjQtOTJlNS01OTYzZDk4NjhjMjUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJsZXdpc0BwYXJ0aGVub24uc29waGlzdHMuY29tIiwic3ViIjoidVFfWDZ1d1ZRWWptRXp1ZlU2azBlaG42NjR3ZUFwdU1TMkJyOF9XNU8yUSIsInRpZCI6ImVmYTMwMzhhLTU3NWItNDJlYS04YmExLTQ4M2NmN2YwYmRiNiIsInV0aSI6Im5ZNlZBckQ0TGtheHpGVVkycE03QUEiLCJ2ZXIiOiIyLjAifQ.fKDoCRI7YZEP00otEWiYQhJcdsVsWpsopuIPFS1d75FM7zoyecX3zK90JuOPCN-59i8MQt9yG5vSfYB-IhhkvkjSJBZ_O-T12AQ5jvLFQuEUFmjMjJS6vJzC9QC6-X-Bvv_6dq1naPsLo1OowRnhjAjZYE4u4dTBNWzdquLwy0EJo2JVuaG5aj_R1kp2xjmsFkgJfX_x7My6V0kU3oJ6VjmT2MUKcIj0z3tZrGPQgbDKSStAElwnp7myNef-5Y0Ywv2ns_8ze8-1evbUTKkVJTnFp56qOvMa5EBZi87loRQKGT-G50Ft3oGYn4uxFKWU_pprTz5GxHzd_QnkDe0GVw
which decodes (
via var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(authorizationHeader.Substring(kBearer_.Length))) to: ....
Issuer: "https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/v2.0"
I then attempt to validate using:
...ANSWER
Answered 2019-Apr-25 at 02:48The sample you're currently looking at is a little old and explaining with Azure AD v1.0 endpoint as reference. The issuer value you are seeing in token is correct, because you have acquired that token from Azure AD v2.0 endpoint. The OpenID discovery document URL you're using to find the valid issuer is not correct. More explanation in further sections.
I should also briefly mention that in most cases, explicitly validating the token manually like the sample you're following explains is a bit of heavy lifting which isn't really needed. I don't want to stray off from your orginal question hence I'm just keeping some pointers on this part at the end of my answer, but do take a look to see if it makes sense for your case.
More details on Access Tokens acquired from Azure AD v1.0 and v2.0 endpoints
Please look at this Microsoft Documentation - Access Tokens Reference - Sample Tokens
Sample v2.0 Token - Decoded at jwt.ms -
Notice this one has issuer format
QUESTION
Currently, I am using this library from Microsoft to integrate my application with Azure AD:
...ANSWER
Answered 2018-Jul-12 at 23:29ID tokens are considered valid until their expiry. Usually, a web application matches a user’s session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be reauthenticated with Azure AD (either silently or interactively).
Access Token Lifetime policy controls how long access and ID tokens for this resource are considered valid. Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
To create the policy, run this command:
PowerShell
QUESTION
I am using B2C to protect a WebApi in Asp.Net Core. My code is below. Do I need to validate the tokens or is the middleware doing it for me? I would think if everyone had to do this, it'd be easier for me to find some sample code, but I can't seem to get any real direction on this.
Yet, this B2C documentation states that my api do the validation.
I found a sample but it's not for Core and they're using CertificateValidator = X509CertificateValidator.None. Doesn't that defeat the purpose? And another sample here where they are doing it.
Don't I have to have the signing key from B2C and all that?
I can cobble together a solution from those, but do I actually need to do this?
Thanks in advance.
...ANSWER
Answered 2017-Apr-14 at 19:31Do I need to validate the tokens or is the middleware doing it for me?
The JWT bearer middleware does it for you (by default, it will automatically reject unsigned or counterfeit tokens, so you don't need to explicitly set RequireSignedTokens to true).
Doesn't that defeat the purpose?
There's a difference between validating a signature using a public asymmetric key (e.g RSA or ECDSA) embedded in a certificate and validating the certificate itself (and specially its chain). Signature validation is fully supported in ASP.NET Core, but certificate validation is not supported yet.
Don't I have to have the signing key from B2C and all that?
The JWT bearer middleware automatically retrieves it from B2C's discovery endpoint, so there's no need to do that manually. For more information, don't hesitate to read the OIDC discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-dotnet-webapi-manual-jwt-validation
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
